Telemetry is hard to disable. Probably on purpose.

But there's an easy way out. Selectively cut the ethernet cable!

At some point while messing around checking how I could get a chroot setup without escalating privileges for root, I found unshare. What unshare does is it uses the kernel feature of namespaces, which essentially give a different view of the system to different processes.

In short, this includes networking, so try the following:

unshare --map-root-user --net curl telemetry.microsoft.com -L

It does not work! Incredible! It can be reduced to the following:

unshare -rn PROGRAM

You could get an interactive shell this way, and all children will have no internet either:

unshare -rn bash

One potential issue is that this program now thinks it's running as root (it's not!). Fortunately, someone has run into the same issue before and now we have the following program:

// CC BY SA 4.0, https://unix.stackexchange.com/a/460168
// Modified slightly to not crash on empty argv[1]
#define _GNU_SOURCE
#include <sched.h>

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#include <unistd.h>

int main(int argc, char *argv[]) {
    int fd;

    unshare(CLONE_NEWUSER|CLONE_NEWNET);
    fd=open("/proc/self/setgroups",O_WRONLY);
    write(fd,"deny",4);
    close(fd);
    fd=open("/proc/self/uid_map",O_WRONLY);
    write(fd,"1000 1000 1",11);
    close(fd);
    fd=open("/proc/self/gid_map",O_WRONLY);
    write(fd,"1000 1000 1",11);
    close(fd);
    if (argv[1])
      execvp(argv[1],argv+1);
    else
      execvp("/bin/bash", NULL);
}

Now if you compile this C program as described in the StackExchange answer, and replace any unshare -rn with the program itself, it will work the same way but also give you your own user, sidestepping the problem.

Note you'll still have no set groups, but that should not be too much of a problem in most circumstances. You'd probably want something like ufw or iptables if it is an issue.

(Oh, and if you do believe in telemetry, make it opt-in. Thanks.)