Thank you for post @palomed
you can do it with QoS. Here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS0CAK
In summary, you can create an QoS Profile applied to "Trust" interface where you specify one class with "Egress Max Bandwidth" you want to limit windows update traffic to, then under: Policies > QoS you add a new policy, associate this policy with class and under application you can add: "ms-update".
Once you complete the above configuration, only new sessions will match QoS policy. For existing sessions you will have to terminate them first.
Kind Regards
Pavel
Help the community: Like helpful comments and mark solutions.
