In April 2026, the FBI apprehended an individual believed to be associated with the Scattered Spider group. This suspect had cleverly concealed his online activities behind a VPN, utilizing IP addresses from three different countries. However, his efforts were rendered futile not by a misstep, but rather by a persistent identifier embedded within Windows: the GDID. This identifier, which Microsoft readily provides to authorities upon request, has sparked curiosity about its implications for user privacy.
To delve deeper into the nature of the GDID, I set up a Windows 11 Pro virtual machine (VM) and enlisted the assistance of a language model. The findings were both enlightening and concerning. The GDID is not merely a serial number tied to your hardware; instead, it is a 64-bit Persistent Unique Identifier (PUID) that Microsoft attaches to your account the moment you log into Windows. This identifier is stored in plain text within your registry and is consistently registered on Microsoft’s servers, remaining unaffected by changes to your IP address.
Look your own tracker in the face
To visualize this identifier, one can use PowerShell to extract it. By executing a simple command, you can reveal the GDID associated with your account. For instance, my VM produced the output g:6755487812206045, a number that Microsoft can trace back to my activities. This identifier serves as a label, quietly affixed to your digital presence.
Delete it? Forget it
The instinctive response might be to delete the GDID from the registry, located at HKCU:SOFTWAREMicrosoftIdentityCRLExtendedProperties. However, upon attempting this, I discovered that the identifier reappeared after merely opening the Microsoft Store. The GDID is not stored locally; it resides on Microsoft’s servers, where it remains linked to your account. Even if you reinstall Windows, the old identifier and its associated data persist, rendering any attempts to erase it ineffective.
Disabling telemetry changes nothing either
Another common recommendation is to disable Windows telemetry. However, even with the telemetry service halted on my VM, the GDID remained accessible. The data transmission does not rely solely on telemetry; it operates through the Connected Devices Platform and Delivery Optimization services. Thus, toggling privacy settings offers little protection against this persistent tracking.
Turning off the tap for real
Since erasing the GDID is not feasible, the next best approach is to prevent it from being transmitted. This can be achieved without logging out of your Microsoft account, allowing continued usability of the PC. Two primary strategies can be employed: disabling the services responsible for reporting device information and modifying the hosts file to block Microsoft’s servers. However, the service that reports the GDID, known as DoSvc, cannot be disabled through conventional means. Instead, it requires direct modification in the registry.
To facilitate this process, I have compiled a series of scripts available on GitHub, designed to audit your current situation and implement necessary changes. The first step involves running a read-only audit to assess your GDID and the active services. Following this, you can preview the potential changes before applying them, ensuring a cautious approach.
Alright, let’s go!
To begin, open PowerShell as an administrator and clone the project repository. Start with the audit script to understand your current status:
powershell -ExecutionPolicy Bypass -File .auditGet-GDID-Audit.ps1
Next, you can preview the mitigation scripts without making any changes:
powershell -ExecutionPolicy Bypass -File .mitigateDisable-GDID-Services.ps1
powershell -ExecutionPolicy Bypass -File .mitigateBlock-GDID-Endpoints.ps1
If satisfied with the proposed adjustments, you can proceed to apply the changes, effectively disabling the reporting services and blocking the associated Microsoft endpoints:
powershell -ExecutionPolicy Bypass -File .mitigateDisable-GDID-Services.ps1 -Apply
powershell -ExecutionPolicy Bypass -File .mitigateBlock-GDID-Endpoints.ps1 -Apply
To revert any changes made, a single command will restore the original settings:
powershell -ExecutionPolicy Bypass -File .mitigateRevert-GDID.ps1
The uncomfortable truth
It is essential to acknowledge that while these steps may reduce Microsoft’s ability to correlate your activities moving forward, they do not eliminate the GDID that has been stored on their servers since your initial login. Moreover, transitioning to a local account may not guarantee anonymity, as there is no definitive proof that an anonymous identifier does not take over behind the scenes. For truly sensitive activities, the most effective solution remains to avoid conducting them on Windows altogether. Utilizing a live Linux system, for instance, grants you comprehensive control over your data transmission. Ultimately, understanding what information has been collected is the first step in safeguarding your privacy.
This article may contain AI-generated images. I take great care with every article, but if you spot a slip-up, let me know!