I have been assigned 1,000 Windows 10 Pro workstations to manage. These systems are scattered all around the United States with 2-4 systems per site. All systems are located in spaces provided by partners. All locations are physically secure locations with firewalls, IPS, the works.

Here's where I need help. I'm responsible for keep the OS patched to follow a set of standards provided by an application vendor. Twice a year the vendor certifies drivers, Windows patches/updates and we have to keep the systems current with what the vendor specifies.

I was told today in a meeting that I must:

• Prevent automatic updates
• Place a ceiling on the maximum Windows Update version that’s allowed to be installed. We're currently on Windows 20H1. The next targeted release is 21H1 whenever it's ready.
• Initiate Windows Update installs remotely

None of these systems are on a VPN back to a central update server and some of the systems are legally owned by another entity with my company being the de facto admin/primary user of the systems.

What's the best practice here? Can anyone point out to me what I should do? I considered setting our own WSUS server and providing access via a IPSec-encrypted Direct Access connection.

Is there a SaaS I can buy to manage the patches? What do you guys recommend?

EDIT: No Office365 licenses in use. All of these systems are used by scientists for data analysis. The systems are not used for individual workstations (email, facebook, etc.)

EDIT #2: Thanks everyone. This has been incredibly helpful. Thank you all so much