I have a very strict policy that servers must not access the Net. If a server needs to be accessible from the Net, it will be placed in the DMZ zone with very rigid firewall rules. To update all servers, I need to implement the WSUS server in the local network.
I never let servers update automatically. Rather, I let them notify me about available updates and then I will manually run an installation process.