@ReeXNeeX You’re of course right that updates are delivered through CDNs, however I’m pretty sure that all requests start using a DNS alias that would be covered by the wildcard rules above. This Technet article suggests that this method is still effective: https://technet.microsoft.com/en-us/library/gg712696.aspx
It lists the following URLS that are involved in software updates:
I haven’t got a live system currently configured that diverts updates via a specific WAN, so perhaps its a question of try it and see. If you dump the URL logging to syslog on your device then run a windows software update you’ll be able to see what URLS are actually called.
I don’t have any policies configured for social media services. Yes a high number of policies will ultimately have an effect on throughput / cpu load. The most I have ever used personally is between 20-30 on a B380 and I saw no negative impact on throughput.