Privacy News Microsoft Confirms Windows GDID Device Identifier That Cannot Be Disabled, Documented in FBI Case Filing

lokamoka820

Level 49
Thread author
Verified
Top Poster
Well-known
Mar 1, 2024
3,809
3
13,429
4,769
Banana Republic
Microsoft has publicly acknowledged the existence of the Global Device Identifier (GDID), a device-specific ID assigned to Windows installations, in a federal complaint filed by US prosecutors against an alleged member of the Scattered Spider hacking group.

The ID is generated when Windows is set up with a Microsoft Account, persists through Windows updates, and cannot be disabled without affecting Windows activation and Microsoft Store apps.

Microsoft briefly mentioned GDID in the Azure Monitor documentation, describing it only as "an identifier used by Microsoft internally." The complaint cites a Microsoft representative describing GDID as "a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device such as a mobile phone or laptop or a virtual machine, across certain Microsoft services and scenarios."

Why Privacy Researchers Are Concerned and What Users Can Do​

Multiple security researchers have raised concerns about the visibility and control users have over GDID:
  • There is no consent screen when GDID is assigned. Apple's advertising identifier requires an App Tracking Transparency prompt with a visible reset. Android provides similar controls. GDID has neither.
  • Activation dependence. Massgrave, the group behind Microsoft Activation Scripts, has noted that Windows setup sends hardware info to Microsoft and receives identifiers back that are later used for Store access and licensing. Blocking GDID assignment breaks both activation and UWP apps.
  • Reinstalling Windows produces a new GDID, but signing back into the same Microsoft Account gives Microsoft a clear path to link the new identifier to previous activity.
  • Microsoft's public documentation of the identifier consists of one sentence in an Azure Monitor reference table for enterprise IT administrators.
Security researcher Matthew Hickey has characterized Windows as "surveillance software" in response to the case. Costin Raiu asked on the Three Buddy Problem podcast how much similar functionality exists on other platforms.

Users concerned about GDID have limited direct options because the identifier cannot be turned off without breaking core Windows functionality. Practical steps that reduce related tracking include:
  1. Use a local account instead of a Microsoft Account when possible. Windows 11 has made this harder in recent versions, but the option is still available during setup for users who know how to reach it.
  2. Turn off optional diagnostic data through Settings, Privacy and security, Diagnostics and feedback.
  3. Disable personalized ads and launch tracking under Privacy and security, Recommendations and offers.
  4. Turn off Cloud Content Search under Privacy and security, Search, to stop local searches from sending data to Bing.
  5. Review and disable Activity History and other telemetry options in Privacy and security settings.
  6. For journalism, activism, or domestic abuse situations where identifier persistence poses a threat, use Linux routed through Tor rather than relying on a commercial VPN with a Windows PC.
Users who reinstall Windows to obtain a new GDID should be aware that signing back into the same Microsoft Account provides Microsoft with data linking the new identifier to previous activity.
 
Privacy settings in Windows can still reduce some data sharing, but they don't affect system-level identifiers like the GDID described in the article.

I still think it's worth reviewing and adjusting those settings, since they can still reduce some optional data sharing, even if they don't affect identifiers like GDID. This case simply shows that some aspects of Windows operate independently of the privacy options available to users. 🔒✨