XG Windows Update Firewall Rule

I'm having an issue with Windows update due to my firewall rules. Users can get out on 80,443, and a couple other application ports. Otherwise outgoing traffic is denied. I know there is a range of ports the the Windows update services uses so I attempted to add the FQDN of known update servers with any port allowed but that did not work. If I make an any out firewall rule for the affected workstation the updates flow.

Anyone have luck with this? Thanks in advance.