How to connect clients to INTERNAL WSUS server but download the approved updates from Microsoft

I don't believe so, but one workaround is to implement an intercepting proxy server on your network. This means that you can configure the WSUS server to instruct clients to download from Microsoft, but still cache the content locally for machines on your network. (As an added bonus, updates will only be downloaded if they are actually needed, so you can be less selective about what you approve.)

A variation of this is to configure WinHTTP on your desktop machines to use a proxy server, although this means laptops that are on-site will still download from Microsoft. In principle you could write some software that detects the current location of the machine and reconfigures WinHTTP as necessary.

You need multiple GPOS.

1. Create 1 GPO to download using the WSUS server. Apply this to the site.
2. Create a group containing the computers that you want to auto update
3. create a GPO that sets the WSUS to auto install. Apply security filtering to the GPO that only lets the group in set 2 apply the policy. Apply this (as second priority to the GPO in step 1) to the site.

As far as connecting to WU, You need to have a company policy that remote users VPN in at some interval, to facilitate updates. create a replica server in your DMZ with no content so the systems will get the content from the microsoft update servers (so you won't need to be connected to the VPN to get the updates