From reading the official criminal complaint [1] it looks like Microsoft literally logs all web requests along with the GDID and sends it over as "telemetry". It basically associates the URL, the client's IP, and the GDID together.
Or I suppose it's possible that it only sends the domain and not the full URL, but that's enough for the police to go to the hoster and demand logs containing the full URL for said IP.
1. https://www.justice.gov/usao-ndil/media/1450651/dl?inline
> Microsoft literally logs all web requests
Nope. That would be unbelievable but also very well known. It was a Windows software licensing matter, see my post above.
Clearly a bunch of defensive Microsoft employees are hitting these threads. The official complaint directly cites Microsoft as the source of these logs. They refer to Microsoft as the source of the records for web requests, app usage, and so on.