The problem is that WSUS does not throttle the amount of bandwidth available to download the updates it will just use as much of your WAN circuit as possible while the PCs download the required updates.
One solution would be to enable throttling of the WSUS traffic on your routers during business hours. This can be complex to setup if it’s even supported by your routers. An easier option is to enable IIS throttling on your WSUS site in IIS during business hours and disable IIS throttling after closing.
To do this you need to use the script adsutil.vbs in "C:\Inetpub\AdminScripts\" and create a scheduled task to enable/disable the throttle.
1. You need to find the site identifier for your WSUS Administration site. Open the IIS Manager click on "Web Sites". Look at the "Identifier" column of your WSUS Administration site. This is your sites id.
2. Create a new scheduled task to enable the throttle. Enter the site id for your WSUS Administration site from step 1. Pick a time when you want to start the throttle. I picked 6:00AM because I want to make sure it’s enabled before anyone shows up to work. The property to enable the throttle is "MaxBandwidth" and is in bps. If you want to limit WSUS to 512K you must enter "524288" (512 * 1024) the IIS Manager will list this in Kbps.
C:\WINDOWS\system32\cscript.exe "C:\Inetpub\AdminScripts\adsutil.vbs" SET /w3svc/<siteid>/MaxBandwidth 524288
3. Create a second task to disable the throttle. To disable the throttle we set the value to its max not to 0. I scheduled this task to run at 8:00PM after everyone has left.
C:\WINDOWS\system32\cscript.exe "C:\Inetpub\AdminScripts\adsutil.vbs" SET /w3svc/<siteid>/MaxBandwidth 4294967295
In the end you have two scheduled task that look somewhat like this. One that will enable throttling on your WSUS site to prevent it from saturating your WAN during the day and a second to disable it so the PCs can get their updates as fast as possible in the evening.