Katos Hi - nice to have you onboard.
It goes without saying that InTune is going to be the best way to manage the updates from a central perspective, but most of this depends on appetite, and of course, budget. Similarly, a public facing WSUS server may not desirable, but in reality, you only need to open a small selection of ports (obviously the notable ones are 443 etc), and that same WSUS server should be placed into a segregated DMZ zone that has no other contact with the internal networks other than what is essential for it to run.
Similarly, if you take this route, this server should be a downstream, whilst you maintain the upstream inside your own network. If you want to "go cheap", and have something quick and effective, you could change the Group Policy (or registry settings) for the remote clients, and have them pull from Windows Update directly. I know several organisations which adopt this approach, and only present the XML that contains the list of centrally approved updates so that remote workstations can install only those that have been approved.
If you're interested in the above mechanisms, let me know.