i had the same problem. we created a custom URL category to get around it.
.download.microsoftupdates.com, .update.microsoft.com, .windowsupdate.microsoft.com, c.microsoft.com, download.microsoftupdates.com, download.windowsupdate.com, schemas.microsoft.com, stats.update.microsoft.com, update.microsoft.com, windowsupdate.microsoft.com, www.download.windowsupdate.com, www.update.microsoft.com
although, in the 6.3.3 OS, there's a built-in access-policy URL category called 'Software Updates'. this should catch them too.
windows update seems to use the system account, not the user account. we had to match by IP for these URLs. reading around on here, we also found a suggestion to cache authentication settings for the user (ip address).