It should be clarified that using Wireshark on the hardware in question is still subject to what the operating system is allowing your security context to see - meaning a rootkit or hardware level compromise could hide its traffic in that case.
Intercepting all traffic coming from the machine using another network node is a good idea though. Wireshark or an IDS like Snort would both work for that.
Piholing the windows telemetry domains helps some. But yeah, you aren’t wrong.
Personally I’m using: https://raw.githubusercontent.com/d43m0nhLInt3r/socialblocklists/master/Windows/windowstelemetryblocklist.txt
But that update date gives me some pause, so someone correct me please.