If you have a Windows 2008 R2 domain you can use the new direct access feature of Windows 2008 R2 and Windows 7 to do this automatically.
What is the VPN solution are you using? Windows VPN or Cisco VPN or something else?
This sounds to me like more of a culture problem than anything else. We provide instructions through corporate policy that users are required to connect at specific times for maintenance. If it is MS updates you are concerned with, and if you have situtions where this will not be feasible, at least configure those machines to obtain their updates automatically from the internet. Again, you have to make your users do this, and that can be a challenge itself.
If your end users are using Windows 7 (or can be upgraded to Windows 7) look at the direct access feature. With it the remote computers will automatically connect back to the network via an SSL encrypted tunnel for things like GPO updates, Windows patches from a WSUS server, etc. Basically whenever a users computer needs access to the company network the machine automatically connects to the network and gets the data it needs, then disconnects. I wrote about it in the book Microsoft Windows 7 Administrator’s Reference: Upgrading, Deploying, Managing, and Securing Windows 7