windows – Can SCCM or WSUS actively initiate a new TCP connection to the client?

I have computers connected to a corporate domain network with SCCM (+WSUS?) running on common TCP ports (8531, 443, 80 I guess). The computers are behing a hw firewall and new outbound connections to those ports are disabled, only a handful of destination TCP ports on new outbound TCP connections are allowed, like 123, 53 and 5938 and also ping is allowed.

But recently some computers started to download windows updates, which is not desirable. I am wondering how this was possible, is it possible that WSUS or SCCM server actively initiates a new TCP connection to the client, so that the firewall ruleset WAN_IN would be considered instead of WAN_OUT?