is it possible to force downloads of windows updates to the SD-WAN?
I tried an ANY rule from Any-Trusted to Microsoft FQDN Alias and set to SD-WAN but it was not successful.
If you change a rule, it will only apply to new connections, not existing ones. If your computer already has a connection out to Microsoft, you'll need to reset that connection for it to follow your new SD-WAN action. Easiest way to accomplish this is to reboot the firewall or the PCs, as that kills every open connection.
*This is assuming that your rule matches the traffic, as Windows Update uses many FQDNs/IPs.
WatchGuard Customer Support