Is it possible to trivially airgap a machine except for Windows Update and associated software update services provided by Microsoft? I'd like to airgap a virtual machine running Windows 8.1 Pro and only enable the network for installing updates from trusted sources (both in the sense that Microsoft can pretty much make my machine do whatever they want and I'm choosing to believe they won't do anything malicious, and that I'm choosing to believe they will maintain the security of their update-serving infrastructure.) Maybe all I need is some unchanging firewall settings, but I don't know how Microsoft sets up their network. If I go this approach, does anyone know if the IPs and hostnames Microsoft uses stay the same and can be trivially collected to create a firewall rule or firewall rules?