Remote Device Management
If you don't already have a cloud based MDM, keeping your remote devices patched and policies updated becomes a challenge.
VPN Start Before Login
For devices using SWOCA's VPN, we have enabled "Start Before Login" on our VPN. This allows Windows to process group policy upon login. Direct your users to click the VPN login icon on their Windows login screen (lower right hand corner) to connect the VPN server, and then do their normal login. User level group policies should be updated at this time, and system level policies may also apply depending on your GPO settings.
WSUS - Public Server
One option for ensuring your remote Windows systems stay updated to use your existing WSUS server as a public web server. You can request a public IP NAT from SWOCA's Network team for your WSUS server. You can then either add a public DNS record for that server (if your internal DNS zone matches your public DNS zone), or update the WSUS record on your clients to point to a public servers DNS entry.
RMM - Remote Monitoring and Management Tools
There are several tools in use by our members for remote management and patching. Some of their recommendations include:http://rmm.msp.zone, a community project of r/MSP.