The only way I can think of is to force all internet access through a proxy and filter it out in the proxy.
Then you don't give the machines any internet access just access to the proxy.
Unfortunately I do not have details for you on how to filter the snoop messages because in I haven't looked at them but it should be fairly easy using squid and an external Perl regex filter script or other filter application, but you will take a latency hit because you will have to inspect every transaction.

  Original Message  
From: jdow
Sent: Friday, March 4, 2016 23:35
To: [log in to unmask]
Subject: Re: snooping windows 10 - how to stop it on a linux gateway?

That windows update server is a relay for the "snoop" messages. About the only 
way to totally stop the snoop messages is to totally isolate the network 
containing Windows machines from the network. Any windows machine can serve as a 
relay point for any others.

{o.o}

On 2016-03-04 20:16, Karel Lang AFD wrote:
> Hi guys,
>
> firstly, sorry Todd, i don't know how it happened i got attached to your thread.
>
> secondly, thank you all for your thoughtful posts.
>
> I know it is not easy to block the selected traffic from windows 10 and you are
> right, it is being backported to windows 7 as well. Horrible and disgusting.
>
> I already have windows server in LAN dedicated as a update server (work of my
> windows colleagues), so the PC don't have to access windows update servers
> outside LAN - this should simplify things.
>
> Also the PCs must have internet access to email, http, https, ftp, sftp - simply
> the 'usual' stuff.
> I think, yet, there should be a way. I'll try to consult mikrotik experts (the
> router brand we use) and guys from our ISP.
> If i have something, i'll let you know :-)
>
> thank you, bb
>
> Karel
>
> On 03/05/2016 12:40 AM, Steven Haigh wrote:
>> On 05/03/16 07:24, Karel Lang AFD wrote:
>>> Hi all,
>>>
>>> guys, i think everyone heard already about how windows 10 badly treat
>>> its users privacy.
>>
>> My solution to this was to finally rid Windows 7 off my desktop PC - as
>> most of the telemetry has also been 'back ported' to Windows 7 also. You
>> can't stop it.
>>
>>> I'm now thinking about a way howto stop a windows 10 sending these data
>>> mining results to a microsoft telemetry servers and filter it on our SL
>>> 6 linux gateway.
>>
>> Nope. There are no specific servers in use - just general - so whatever
>> you block will end up killing other services.
>>
>>> I think it could be (maybe?) done via DPI (deep packet inspection). I
>>> similarly filter torrent streams on our gateway - i patched standard SL
>>> 6 kernel with 'xtables' (iptables enhancement) and it is working
>>> extremely well.
>>
>> I would be interested to see if you could identify telemetry packets in
>> the flow - but I'm not predicting much success. If you do get it, make
>> sure you let the world know though!
>>
>>> I read (not sure if true) that some DNS resolutions to M$ servers are
>>> even 'hardwired' via some .dll library, so it makes it even harder.
>>
>> Correct.
>>
>>> I'm no windows expert, but i'm and unix administrator concerned about
>>> privacy of windows desktop/laptop users sitting inside my LAN.
>>>
>>> What i'd like to come up is some more general iptables rules, than
>>> blocking specific IP addresses or names, because, apparently they may
>>> change in any incoming windows update ...
>>>
>>> Anyone gave this thought already? Anyone else's concerned the way i am?
>>
>> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on
>> a few things that I like - so Fedora is a happy medium for me - as I
>> still have the fedora-updates-testing repo enabled. My work laptop as
>> well as my personal laptop - and now my home desktop all run Fedora 23
>> (KDE Spin if you hate Gnome 3 - like me).
>>
>