In order to keep Windows clients updated on your disconnected network you need to connect to the Windows update service.  Clearly with your network protected  by AROW, this is not an option.  Hopefully your normal practice is to control your client updates anyway, using the WSUS built into Windows Server 2012 or added as an application on earlier versions.

So controlling updates is just part of your normal security and administration practices.  With a data diode ( or in fact just a completely isolated network) you  need to deploy a WSUS Export server on the black side of your gapped network, and a WSUS import server on your red side. Microsoft have details of how to do this here.  N.B. WSUS is not available on Windows Server2012R2 Foundation, but is included in  all other versions.

The different steps available using AROWBftp  software are simply to point your send symlink to the WSUS  local repository on the black side. The repository files will then be transferred to the red side where the import server resides and then normal updates can take place with all the usual administrative controls expected to be availabe to Windows sysadmins.

Take note though of the warnings about the metadata files and ensure that these are created and transmitted after the database. AROW