@Raul Guchinife,Thanks for posting in Q&A.
From your description, I know that you want to allow certain applications connect to the internet and the rest are blocked via Firewall Rule and ensure the connection of computers to Intune and Windows update.
Based on my researching, we can create a firewall rule policy follow the steps below to achieve this.
1.Sign into Intune portal > Click Devices > Click Configuration Profiles.
2.Create a profile for Windows 10 and later as platform type > Under Profile Type, select Templates and then Endpoint Protection and click on Create > In the Configuration settings section, select Windows Firewall > Expand the dropdown and then select Add to specify apps and rules for incoming connections for the app.
3.In Applications settings, select Package family name and enter the Package family name.
4.In Port and protocol settings, select TCP under Protocol, and enter 80 and 443 under Local ports and Remote ports.
5.In Assignment page, assign it to user or device group and click Create.
You can get the Package family name via PowerShell command 'Get-AppxPackage -AllUsers'.
Computers connect with Intune via TCP port 80 and 443.
Computers use TCP port 80 and 443 to communicate with the Windows Update service.
Here is some detailed information about Firewall Rules in the below link you can refer.
Hope above information can help you. If there is any update, feel free to let me know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.