GDPR only covers PII, this is a randomly generated ID that changes on every install on the OS.
You can mix it with other info to track a user, but it's not enough to de-anonymize someone on its own.
unfortunately under GDPR, anonymous IDs are personal data as they are used to single out a data subject.
If they associate it with a Microsoft account (or anything that is identifiable) then it becomes PII.
And of course they are.