Click clean access under device mgmt.
Click the clean access agent tab.
Click requirements.
Add one for MS update check if you don't already have one made by clicking new requirement. Choose windows update service for the requirement type drop down box. If you already have a rule for the windows update service check you can click edit instead (next to the move up down arrow buttons).
About half way down you can choose MS servers or WSUS servers.