This is not convenient to do at every update. On a windows system were there is no known concept of built-in package manager it is even more complicated. I've seen windows apps that automatically update themselves.
Also, since it is very intrusive, I don't think running it into a sandbox may give good diagnostics.
If this program has to be run persistently, then it won't provide much, since a malicious program could wait X days prior to downloading a payload. It is mostly useful for looking for one time changes like registry settings and verifying that the program doesn't place a bunch of random .bat or .exe's in obscure folders.
Windows loves to silently update things, even if it ends up breaking everything, too. Especially drivers where it isn't super obvious that it was updated and something just stops working. Windows 10 is _way_ more aggressive with forcing updates than 7/8 were, automatically re-enabling Windows Update after 30 days of disabling. The easiest solution that I've found is just blocking everything at the DNS level. They can obviously use IP addresses as a workaround if they really want telemetry, but I haven't had issues after blocking a bunch of MS domains in the hosts file.
Also, since it is very intrusive, I don't think running it into a sandbox may give good diagnostics.