Could be MTU problems especially if ICMP is filtered. Can you ping with DF set at 1500 (raw packet) or 1472 (payload) to the app store?
As far as what ports are used for the Windows AppStore, I was not able to find anything in a quick internet search, but you might want to contact Microsoft or check out their help pages.
You could also use a packet capture on a client device on a different network. That should allow you see what ports are in use. The Windows App store may use standard protocols like FTP, SCP, HTTP, etc. or they may use some proprietary protocols.
Once you have determined the ports, can you add them to your user Roles on the BSC. The roles are the firewall for the clients on the BSC.
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily as well as award points to the users that helped you. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.