XG Windows Update Firewall Rule

Ports should just be 80 and 443,

This KB lists the domains: https://technet.microsoft.com/en-au/library/bb693717.aspx

Bits may be using port 443, but it might not be valid HTTPS traffic, so you may need to disable packet inspection for it to allow traffic to pass through.

It's possible. I rather not shut it off if possible. How to I disable packet inspection to rule it out? I can't be the only one allowing 80/443 only and using Windows update.

Another forum user has had sucsess here: https://community.sophos.com/products/xg-firewall/f/network-and-routing/74183/sophos-xg-firewall-preventing-wsus-from-downloading-updates/285722#285722

Might help you out?

Welcome on board. What you can do is to allow the server to access 80/443 to download updates from Microsoft.
You can create an object called "clientless" under Objects > Identity > Clientless Users and add your WSUS ip server. Now create a Policy (user policy) where only the clientless object you created can access 80/443 Microsoft website.
Try to activate IPS rule and see if it breaks the connections (otherwise you need to create exception).

If you want to be more specific, you can create a URL group under Objects > Content > URL Group where only Microsoft websites are allowed (technet.microsoft.com/.../cc708605(v=ws.10).aspx).
Then create a Web Filter under Objects > Policies > Web Filter cloning from Deny all and add the URL group defined before.
At the end create a Policy where user is clientless object going to WAN using 80/443 and as Web FIlter choose the filter you have created before.
Note that this webfilter will allow the server to go only on specified url group created. All other traffic will be blocked (deny all except url specified).

Another forum user has had sucsess here: https://community.sophos.com/products/xg-firewall/f/network-and-routing/74183/sophos-xg-firewall-preventing-wsus-from-downloading-updates/285722#285722

Might help you out?

Welcome on board. What you can do is to allow the server to access 80/443 to download updates from Microsoft.
You can create an object called "clientless" under Objects > Identity > Clientless Users and add your WSUS ip server. Now create a Policy (user policy) where only the clientless object you created can access 80/443 Microsoft website.
Try to activate IPS rule and see if it breaks the connections (otherwise you need to create exception).

If you want to be more specific, you can create a URL group under Objects > Content > URL Group where only Microsoft websites are allowed (technet.microsoft.com/.../cc708605(v=ws.10).aspx).
Then create a Web Filter under Objects > Policies > Web Filter cloning from Deny all and add the URL group defined before.
At the end create a Policy where user is clientless object going to WAN using 80/443 and as Web FIlter choose the filter you have created before.
Note that this webfilter will allow the server to go only on specified url group created. All other traffic will be blocked (deny all except url specified).

Have you enabled the web -> exceptions -> microsoft?

We were having this exact issue with new Windows 10 Clients and enabling this setting fixed it! Thank you!!