Wouldn’t transparent TLS with self signed certificates solve this problem?
I’ll definitely try this in couple of weeks but I can’t be the only person to try this to uncover exact data that is being sent via Windows telemetrics.
Another alternative would be remote debugging the kernel and hooking into some of the undocumented API calls but that would take lots of effort.
Just spin up Fiddler with a generated root CA on the device. Or if you don't trust the network stack on the OS - point the thing at a MITM proxy and trust the self-signed CA in the certificate store.
It's really not all that hard to view https traffic...
Another alternative would be remote debugging the kernel and hooking into some of the undocumented API calls but that would take lots of effort.