My Windows VLAN simply doesn't have any internet connectivity at all. I use those machines for benchmarking work, and I can't have them installing updates and invalidating previous measurements. Isolating them from the Internet entirely is the only simple way to make sure Windows updates are really not going to happen for any reason.
You are probably safe with your setup, but be aware that windows has peer-to-peer update functionality, so if another more up-to-date windows installation gets within reach of your benchmarking machines, it could potentially update them.
I have considered that, but it seems Windows still needs to phone home to Microsoft to check what updates are available, even if it acquires them locally.
Interesting. I do something similar, for an entirely different reason. Basically, I don't want any information about what I'm working on leaking to Microsoft. Or to anyone, for that matter. So I have a Win10 VM, with apps that I need, but with no sensitive information, and periodically install updates.
Whenever I need to use Win10, I create a clone, remove the network adapter, and attach a VDI containing my data. And once I'm done, I delete the clone.
