That is putting a lot of faith in both Microsoft and the windows firewall, which has historically been very weak. Microsoft has also indicated that they're not adverse to bypassing users' obvious attempts to protect themselves from spying, for example: bypassing hosts file entries for telemetric data exfiltration. So while the firewall might work today, there is absolutely nothing preventing a future update from silently changing the rules of the game.
I suspect the problem will be if they have independent security tools near their network edge that MITM their own traffic, as discussed elsewhere on HN recently. If Microsoft are hard-coding addresses and certificate details for its online services within Windows itself, the security tools won't be able to inspect that traffic, and will probably be set to block it by default.
I suspect the kinds of organisations operating these tools would consider that "working as intended" in most cases, but if it interferes with the enterprise-grade configuration and update management tools then that could be an issue for them.
My point was that they will be able to detect if Microsoft is subverting the Windows Firewall, trivially. So it would be incompetent for Microsoft to subvert the firewall and expect those users not to notice and incredibly foolish for Microsoft to do it if they think those users will object by moving away from Windows.
