@ReeXNeeX You’re of course right that updates are delivered through CDNs, however I’m pretty sure that all requests start using a DNS alias that would be covered by the wildcard rules above. This Technet article suggests that this method is still effective: Planning for Software Updates in Configuration Manager | Microsoft Learn
It lists the following URLS that are involved in software updates:
http://windowsupdate.microsoft.com
http://.windowsupdate.microsoft.com
https://.windowsupdate.microsoft.com
http://.update.microsoft.com
https://.update.microsoft.com
http://.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://.download.windowsupdate.com
http://test.stats.update.microsoft.com
I haven’t got a live system currently configured that diverts updates via a specific WAN, so perhaps its a question of try it and see. If you dump the URL logging to syslog on your device then run a windows software update you’ll be able to see what URLS are actually called.
I don’t have any policies configured for social media services. Yes a high number of policies will ultimately have an effect on throughput / cpu load. The most I have ever used personally is between 20-30 on a B380 and I saw no negative impact on throughput.