Rule based on ‘%SystemRoot%\System32\svchost.exe’
Under the “Programs and Services” tab, Go to the “Settings” tab, select “apply to this service”, select “windows update” OK.
Only TCP remote ports 80, 443 are required.
via Allow Windows Update through windows firewall – Neowin Forums.