Tech

Microsoft Confirms Windows GDID Device Identifier That Cannot Be Disabled, Documented in FBI Case Filing

Microsoft has publicly acknowledged the existence of the Global Device Identifier (GDID), a device-specific ID assigned to Windows installations, in a federal complaint filed by US prosecutors against an alleged member of the Scattered Spider hacking group.

The ID is generated when Windows is set up with a Microsoft Account, persists through Windows updates, and cannot be disabled without affecting Windows activation and Microsoft Store apps.

Microsoft briefly mentioned GDID in the Azure Monitor documentation, describing it only as “an identifier used by Microsoft internally.” The complaint cites a Microsoft representative describing GDID as “a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device such as a mobile phone or laptop or a virtual machine, across certain Microsoft services and scenarios.”

What the Windows Global Device Identifier Is and How the FBI Used It

The Global Device Identifier (GDID) is a permanent ID assigned when Windows provisions against a Microsoft Account. It is generated by a chain of Windows services.

The wlidsvc service requests a Device PUID from login.live.com, which is then registered into Microsoft’s Device Directory Service by the Connected Devices Platform.

Delivery Optimization reports the GDID back to Microsoft when the PC shares or downloads updates. This identifier is stored in the Windows registry under HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties and formatted with a lowercase “g” prefix followed by a decimal number.

It is reported to Microsoft servers and remains persistent across Windows updates, but it is not retained after a clean reinstall. Microsoft has acknowledged that one user can have multiple GDIDs linked through their account, OneDrive, and activation history.

The FBI used the GDID to track Peter Stokes, alleged member of Scattered Spider, across VPN connections, proxy servers, and through four countries over roughly eight months.

According to the complaint, the GDID g:6755467234350028 was recorded visiting the ngrok signup page at the same time an account used in the attack was created via a Tzulo VPN proxy. Three hours later, the same GDID accessed a victim retailer’s website through the same proxy.

The device was cross-referenced with IP addresses linked to Stokes’s accounts on Snapchat, Facebook, Apple, and Ubisoft across Estonia, New York, Thailand, and other locations. Stokes’s public Snapchat photos matched hotel bookings, locations, and travel timelines associated with the GDID.

The persistent nature of the GDID across VPN sessions proved a key investigative asset. While VPN IP addresses change frequently, the underlying Windows installation continued reporting the same identifier, aiding investigators in their tracking efforts.

Why Privacy Researchers Are Concerned and What Users Can Do

Multiple security researchers have raised concerns about the visibility and control users have over GDID:

  • There is no consent screen when GDID is assigned. Apple’s advertising identifier requires an App Tracking Transparency prompt with a visible reset. Android provides similar controls. GDID has neither.
  • Activation dependence. Massgrave, the group behind Microsoft Activation Scripts, has noted that Windows setup sends hardware info to Microsoft and receives identifiers back that are later used for Store access and licensing. Blocking GDID assignment breaks both activation and UWP apps.
  • Reinstalling Windows produces a new GDID, but signing back into the same Microsoft Account gives Microsoft a clear path to link the new identifier to previous activity.
  • Microsoft’s public documentation of the identifier consists of one sentence in an Azure Monitor reference table for enterprise IT administrators.

Security researcher Matthew Hickey has characterized Windows as “surveillance software” in response to the case. Costin Raiu asked on the Three Buddy Problem podcast how much similar functionality exists on other platforms.

Users concerned about GDID have limited direct options because the identifier cannot be turned off without breaking core Windows functionality. Practical steps that reduce related tracking include:

  1. Use a local account instead of a Microsoft Account when possible. Windows 11 has made this harder in recent versions, but the option is still available during setup for users who know how to reach it.
  2. Turn off optional diagnostic data through Settings, Privacy and security, Diagnostics and feedback.
  3. Disable personalized ads and launch tracking under Privacy and security, Recommendations and offers.
  4. Turn off Cloud Content Search under Privacy and security, Search, to stop local searches from sending data to Bing.
  5. Review and disable Activity History and other telemetry options in Privacy and security settings.
  6. For journalism, activism, or domestic abuse situations where identifier persistence poses a threat, use Linux routed through Tor rather than relying on a commercial VPN with a Windows PC.

Users who reinstall Windows to obtain a new GDID should be aware that signing back into the same Microsoft Account provides Microsoft with data linking the new identifier to previous activity.

What GDID Means for Windows Users and How Widely It’s Deployed

For the approximately 1.6 billion Windows users worldwide, GDID has been operating quietly in the background without any public disclosure or user controls. The recent complaint revealed the existence of this identifier, but Microsoft has not committed to providing user-facing controls or documentation for regular users.

Users concerned about device-level tracking should be aware that the identifier is attached to the account, not the device, meaning reinstalling the OS does not break the link.

Most major operating systems maintain some form of persistent device identity for purposes like licensing and security checks, but Windows differs from platforms like Apple and Google by not offering visible controls.

Legal requests, such as subpoenas, can compel Microsoft to share GDID activity data with law enforcement, as exemplified by the Scattered Spider case. GDID is present on all Windows installations linked to a Microsoft Account.

Users cannot view their own GDID through standard Windows interfaces; it is stored in the registry at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties under the LID key. Microsoft has not indicated any changes to how GDID is generated, stored, or reported.

The only public reference outside of the federal complaint is a brief note in Azure Monitor documentation. Users can monitor Microsoft’s privacy updates, but the company has not signaled plans to provide more public information about GDID.

The Scattered Spider case is progressing through the US federal court system. For those interested in the technical details, reviewing the complaint’s discussion of Microsoft telemetry offers the clearest public explanation of how GDID operates to date.

Add Ghacks as a preferred source on Google

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button