Security researcher Korben published a detailed walkthrough on May 17, 2026, exposing how the Windows 11 General Device Identifier (GDID) persists even after users delete its corresponding registry value. The identifier, tied to your Microsoft account, regenerates automatically and can be used to correlate your activity across different VPN sessions, effectively neutralizing one of the most common privacy tools.
Korben’s analysis comes just weeks after the high-profile arrest of an alleged Scattered Spider affiliate in April 2026, where U.S. law enforcement reportedly used GDID to link the suspect’s devices despite extensive VPN usage. The revelation has ignited fresh debate about the extent of Windows telemetry and whether users can ever truly anonymize their PC.
The GDID stays put — here’s what Korben found
The GDID exists in the Windows Registry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GdidStore as a 32-digit hexadecimal value. On a fresh Windows 11 installation, the value is generated when you first sign in with a Microsoft account. Korben demonstrated that if you manually delete the GDID key, it reappears within minutes — or immediately after a reboot — as long as the device remains linked to the same Microsoft account.
This behavior differs from other advertising or diagnostic identifiers, such as the Advertising ID, which can be reset and turned off. The GDID is not a random token; it appears to be cryptographically derived from your Microsoft account and hardware characteristics, making it consistent across Windows reinstallations on the same hardware if you sign in again. Even running Windows 11 with a local account doesn’t eliminate the GDID — Korben found that the identifier is created and stored locally, but if you later switch to a Microsoft account, that same value becomes anchored in the cloud.
What this means for your privacy
For everyday users, the GDID’s persistence means that Microsoft — and potentially any entity with lawful access to its data — can link your online and offline activities across networks, browsers, and even after you think you’ve scrubbed identifiers. While Microsoft says it uses device identifiers for “security, fraud detection, and service improvement,” the inability to opt out or permanently delete it raises questions about compliance with data minimization principles under regulations like GDPR.
Home users: If you rely on a VPN for privacy, be aware that the GDID acts as a persistent fingerprint. Websites and services that integrate with Microsoft identity systems could potentially recognize your device even if you change IP addresses, clear cookies, or use incognito modes. This undermines the anonymity that VPNs are supposed to provide.
Power users and administrators: In corporate environments, the GDID might be replicated across devices when employees use the same Microsoft account for sign-in — a practice often discouraged but still common. For IT teams managing privacy-sensitive workflows, this means a single account-based identifier could be used to track user behavior across multiple workstations, even on separate networks.
Developers: Microsoft’s documentation for the GDID is sparse, but its existence impacts applications that rely on device uniqueness for fraud prevention. If you’re building authentication or anti-abuse systems, you might consider using the GDID as an additional signal — but only after understanding its privacy implications.
How we got here: Microsoft’s expanding device identity web
Windows has long included hardware-based identifiers. Since Windows 10, Microsoft tied activation and license management to a “device identity” stored in the cloud. With Windows 11, Microsoft began requiring a Microsoft account for many features, accelerating the linkage between accounts and devices. The GDID first appeared in Windows 11 build 22000.51 (June 2021), but remained largely unexamined until privacy researchers started digging in late 2025.
The April 2026 arrest of a Scattered Spider suspect thrust GDID into the spotlight. Court documents unsealed in the Central District of California revealed that Microsoft had provided telemetry data, including GDIDs, to the FBI. The suspect used multiple VPN services, yet investigators correlated sessions using the persistent identifier. This marked one of the first known cases where the GDID was explicitly cited as a tracking mechanism in a criminal prosecution.
Microsoft has not publicly commented on the GDID beyond its standard privacy statement, which says: “We collect device identifiers to help protect the security of your account and to improve our services. Some identifiers, like the General Device Identifier, are associated with your Microsoft account and cannot be removed without deleting your account.” This policy has been criticized by digital rights groups, including the Electronic Frontier Foundation, as overbroad.
What you can do now: Mitigations and trade-offs
There is no supported method to permanently block or delete the GDID on a system that uses a Microsoft account. However, you can take steps to limit its impact:
- Use a local account only: Installing Windows 11 without a Microsoft account prevents the GDID from being linked to an online identity. The identifier still exists locally but is never synced to Microsoft’s cloud — until you eventually sign in.
- Reset the GDID before sensitive sessions: Korben’s analysis showed that deleting the registry key and immediately signing out (or using a tool that blocks the identifier from being re-created) can temporarily remove it, but the value snaps back once Microsoft’s services push a sync. This is not a practical ongoing solution.
- Consider alternative operating systems: If device anonymity is critical, running a live Linux distribution or a privacy-focused OS like Tails remains the only surefire way to avoid hardware-linked identifiers.
- Review your Microsoft account data: You can view and export much of the data Microsoft stores about your devices at account.microsoft.com/privacy. While the GDID is not separately listed, you can see connected devices and associated telemetry. Deleting a device from your account does not delete the GDID history already collected.
- Feedback to Microsoft: Use the Windows Feedback Hub to request an opt-out toggle for the GDID. Collective pressure can influence policy changes, as seen with the Advertising ID reset option added in Windows 10 version 1803.
Outlook: Will Microsoft budge?
Regulatory scrutiny in the EU and U.S. may force Microsoft to offer more transparency and control over the GDID. The forthcoming Digital Markets Act updates in Europe could classify persistent device identifiers as “privacy-invasive” under new guardian provisions. Meanwhile, researchers are developing community tools to monitor and potentially block the identifier’s re-creation, though such tools run the risk of violating Microsoft’s terms of service.
For now, the GDID remains a silent, stubborn footprint on every Windows 11 machine. Its role in the Scattered Spider case proves it’s not theoretical — law enforcement and, by extension, threat actors, can use it to pierce anonymity. The question is whether users will get a meaningful choice to erase it.