Microsoft Confirms Windows GDID Device Identifier That Cannot Be Disabled, Documented in FBI Case Filing

July 12, 2026

Microsoft has recently confirmed the existence of the Global Device Identifier (GDID), a unique identifier assigned to Windows installations, in a federal complaint against an alleged member of the Scattered Spider hacking group. This identifier is generated when a Windows system is set up with a Microsoft Account and remains active through various Windows updates. Notably, disabling the GDID could disrupt Windows activation and access to Microsoft Store applications.

In its documentation, Microsoft has only briefly referenced the GDID, describing it as “an identifier used by Microsoft internally.” However, the federal complaint provides a more detailed account, quoting a Microsoft representative who characterized the GDID as “a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device such as a mobile phone or laptop or a virtual machine, across certain Microsoft services and scenarios.”

What the Windows Global Device Identifier Is and How the FBI Used It

The GDID is a permanent identifier created during the provisioning of Windows with a Microsoft Account, generated through a series of Windows services. The wlidsvc service requests a Device PUID from login.live.com, which is subsequently registered in Microsoft’s Device Directory Service via the Connected Devices Platform. When a PC shares or downloads updates, Delivery Optimization reports the GDID back to Microsoft. This identifier is stored in the Windows registry under HKCUSOFTWAREMicrosoftIdentityCRLExtendedProperties and is formatted with a lowercase “g” followed by a decimal number.

While the GDID remains persistent through Windows updates, it is not retained after a clean reinstall. Microsoft has acknowledged that a single user can possess multiple GDIDs linked through their account, OneDrive, and activation history. The FBI utilized the GDID to track Peter Stokes, an alleged member of the Scattered Spider group, across various VPN connections and proxy servers over an eight-month period spanning four countries. The complaint notes that the GDID g:6755467234350028 was recorded visiting the ngrok signup page simultaneously with the creation of an account used in the attack via a Tzulo VPN proxy. Just three hours later, the same GDID accessed a victim retailer’s website through the same proxy.

Investigators cross-referenced the device with IP addresses associated with Stokes’s accounts on platforms such as Snapchat, Facebook, Apple, and Ubisoft across locations including Estonia, New York, and Thailand. Public photos from Stokes’s Snapchat matched hotel bookings and travel timelines linked to the GDID, underscoring the identifier’s role as a crucial investigative tool. The persistent nature of the GDID across VPN sessions proved invaluable, as it continued to report the same identifier despite the frequent changes in VPN IP addresses.

Why Privacy Researchers Are Concerned and What Users Can Do

The emergence of the GDID has raised significant concerns among security researchers regarding user privacy and control:

  • Lack of Consent: Unlike Apple’s advertising identifier, which requires user consent through an App Tracking Transparency prompt, the GDID is assigned without any such notification or option for users to reset it.
  • Activation Dependence: The group Massgrave, known for Microsoft Activation Scripts, has pointed out that the Windows setup process sends hardware information to Microsoft, which then returns identifiers essential for Store access and licensing. Disabling GDID assignment disrupts both activation and Universal Windows Platform (UWP) applications.
  • Reinstallation Implications: While reinstalling Windows generates a new GDID, signing back into the same Microsoft Account allows Microsoft to link the new identifier to prior activities.
  • Limited Documentation: Microsoft’s public documentation regarding the GDID consists of a single sentence in an Azure Monitor reference table aimed at enterprise IT administrators.

Security researcher Matthew Hickey has described Windows as “surveillance software” in light of these revelations. Costin Raiu posed a critical question on the Three Buddy Problem podcast regarding the extent of similar functionalities across other platforms. Users concerned about the implications of the GDID have limited options, as the identifier cannot be disabled without compromising essential Windows features. However, practical steps can be taken to mitigate related tracking:

  1. Opt for a local account instead of a Microsoft Account during setup, although Windows 11 has made this option less accessible in recent updates.
  2. Disable optional diagnostic data through Settings, Privacy and security, Diagnostics and feedback.
  3. Turn off personalized ads and launch tracking under Privacy and security, Recommendations and offers.
  4. Disable Cloud Content Search under Privacy and security, Search to prevent local searches from sending data to Bing.
  5. Review and disable Activity History and other telemetry options in the Privacy and security settings.
  6. For sensitive situations, such as journalism or activism, consider using Linux routed through Tor instead of relying on a commercial VPN with a Windows PC.

Users contemplating a reinstallation of Windows to acquire a new GDID should remain cautious, as signing back into the same Microsoft Account will allow Microsoft to associate the new identifier with previous activities.

What GDID Means for Windows Users and How Widely It’s Deployed

For the estimated 1.6 billion Windows users globally, the GDID has been functioning quietly in the background without any prior public disclosure or user controls. The recent federal complaint has brought this identifier to light, yet Microsoft has not committed to providing user-facing controls or comprehensive documentation for everyday users. It is essential for those concerned about device-level tracking to understand that the GDID is linked to the account rather than the device itself, meaning that reinstalling the operating system does not sever this connection.

While most major operating systems maintain some form of persistent device identity for licensing and security checks, Windows stands apart from platforms like Apple and Google by not offering visible controls for users. Legal requests, such as subpoenas, can compel Microsoft to disclose GDID activity data to law enforcement, as evidenced by the Scattered Spider case. The GDID is present on all Windows installations associated with a Microsoft Account, and users currently lack the means to view their own GDID through standard Windows interfaces; it resides in the registry at HKCUSOFTWAREMicrosoftIdentityCRLExtendedProperties under the LID key. Microsoft has not indicated any forthcoming changes to the generation, storage, or reporting of the GDID.

Aside from the federal complaint, the only public reference to the GDID is a brief mention in Azure Monitor documentation. Users are encouraged to monitor Microsoft’s privacy updates, although the company has not suggested any plans to provide more information about the GDID. As the Scattered Spider case continues through the US federal court system, those interested in the technical intricacies may find the complaint’s discussion of Microsoft telemetry to be the most informative public explanation of the GDID’s operation to date.

Winsage
Microsoft Confirms Windows GDID Device Identifier That Cannot Be Disabled, Documented in FBI Case Filing