Microsoft Confirms Windows GDID Device Identifier That Cannot Be Disabled

doener1 pts0 comments

Microsoft Confirms Windows GDID Device Identifier That Cannot Be Disabled, Documented in FBI Case Filing - gHacks Tech News

Microsoft has publicly acknowledged the existence of the Global Device Identifier (GDID), a device-specific ID assigned to Windows installations, in a federal complaint filed by US prosecutors against an alleged member of the Scattered Spider hacking group.<br>The ID is generated when Windows is set up with a Microsoft Account, persists through Windows updates, and cannot be disabled without affecting Windows activation and Microsoft Store apps.<br>Microsoft briefly mentioned GDID in the Azure Monitor documentation, describing it only as "an identifier used by Microsoft internally." The complaint cites a Microsoft representative describing GDID as "a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device such as a mobile phone or laptop or a virtual machine, across certain Microsoft services and scenarios."<br>What the Windows Global Device Identifier Is and How the FBI Used It<br>The Global Device Identifier (GDID) is a permanent ID assigned when Windows provisions against a Microsoft Account. It is generated by a chain of Windows services.<br>The wlidsvc service requests a Device PUID from login.live.com, which is then registered into Microsoft's Device Directory Service by the Connected Devices Platform.<br>Delivery Optimization reports the GDID back to Microsoft when the PC shares or downloads updates. This identifier is stored in the Windows registry under HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties and formatted with a lowercase "g" prefix followed by a decimal number.<br>It is reported to Microsoft servers and remains persistent across Windows updates, but it is not retained after a clean reinstall. Microsoft has acknowledged that one user can have multiple GDIDs linked through their account, OneDrive, and activation history.<br>The FBI used the GDID to track Peter Stokes, alleged member of Scattered Spider, across VPN connections, proxy servers, and through four countries over roughly eight months.<br>According to the complaint, the GDID g:6755467234350028 was recorded visiting the ngrok signup page at the same time an account used in the attack was created via a Tzulo VPN proxy. Three hours later, the same GDID accessed a victim retailer's website through the same proxy.<br>The device was cross-referenced with IP addresses linked to Stokes's accounts on Snapchat, Facebook, Apple, and Ubisoft across Estonia, New York, Thailand, and other locations. Stokes's public Snapchat photos matched hotel bookings, locations, and travel timelines associated with the GDID.<br>The persistent nature of the GDID across VPN sessions proved a key investigative asset. While VPN IP addresses change frequently, the underlying Windows installation continued reporting the same identifier, aiding investigators in their tracking efforts.<br>Why Privacy Researchers Are Concerned and What Users Can Do<br>Multiple security researchers have raised concerns about the visibility and control users have over GDID:

There is no consent screen when GDID is assigned. Apple's advertising identifier requires an App Tracking Transparency prompt with a visible reset. Android provides similar controls. GDID has neither.

Activation dependence. Massgrave, the group behind Microsoft Activation Scripts, has noted that Windows setup sends hardware info to Microsoft and receives identifiers back that are later used for Store access and licensing. Blocking GDID assignment breaks both activation and UWP apps.

Reinstalling Windows produces a new GDID, but signing back into the same Microsoft Account gives Microsoft a clear path to link the new identifier to previous activity.

Microsoft's public documentation of the identifier consists of one sentence in an Azure Monitor reference table for enterprise IT administrators.

Security researcher Matthew Hickey has characterized Windows as "surveillance software" in response to the case. Costin Raiu asked on the Three Buddy Problem podcast how much similar functionality exists on other platforms.<br>Users concerned about GDID have limited direct options because the identifier cannot be turned off without breaking core Windows functionality. Practical steps that reduce related tracking include:

Use a local account instead of a Microsoft Account when possible. Windows 11 has made this harder in recent versions, but the option is still available during setup for users who know how to reach it.

Turn off optional diagnostic data through Settings, Privacy and security, Diagnostics and feedback.

Disable personalized ads and launch tracking under Privacy and security, Recommendations and offers.

Turn off Cloud Content Search under Privacy and security, Search, to stop local searches from sending data to Bing.

Review and disable Activity History and other telemetry options in Privacy and security settings.

For...

microsoft windows gdid identifier device account

Related Articles