Hi @Roberto ,
1) WSUS synchronization from Microsoft, once per month, after Patch Tuesday
2) SCCM Deployment packages: Windows 10, Office, Windows Defender, Windows Defender definitions
We could use automatic deployment rule to deploy update, the relevant settings are below:
About product: Please navigate to the tab of software updates, select the product, and select Windows 10, Office, Windows Defender, kindly refer to the picture:
About once per month, after Patch Tuesday: Please navigate to the tab of Evaluation schedule, select the tab of run the rule on a schedule, related setting coule be referred to this picture:
3) automatic deployment to PCs scheduled in three fases:
We could create a collection which includes a few Test PCs, and then add larger pool of test PCs in the collection, finally deploy to all pcs.
4) WSUS should deny direct access from clients. Only source of updates has to be SCCM
Please check if the device was previously managed by WSUS. If yes, delete the record of the tab of set the intranet update service for detecting and set the intranet statistics server. Related setting coule be referred to this picture:
About creating an automatic deployment rule (ADR), please refer to this article:
https://learn.microsoft.com/en-us/mem/configmgr/sum/deploy-use/automatically-deploy-software-updates
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.