My approach to this was to switch ALL clients to get the get the content directly from Microsoft rather than the DP, but whether this is suitable for you will depend on what your Internet connection bandwidth for your on-prem clients is like and how many of them are still working on-prem.
In answer to this "if the pc does go to Microsoft to get the updates, how to ensure that it does this using the home internet connection, rather than coming back through the VPN pipe to use the companies internet connection." that's down to how your VPN is configured. You already described it has being split tunnel, so presumably by that you mean it only routes traffic for your internal IP ranges and the internet traffic for VPN client machines goes via their local connection. In which case you don't need to do anything different. Downloading update content from Microsoft is an Internet traffic thing, so will come via whatever route that machines Internet traffic comes.