Hi,
the SEP clients can be out-of-date if they cannot reach LiveUpdate contents, if the content can be reached, the product does the job, no need for a script to that. What you need is to make sure is to have that content available for the out-of-date client. If the client can't get the content from the LUA or the SEPM, something is not properly working and requires further investigation, if you force the update with a script which, for example, runs the Intelligent Updater, you will just hide real the issue.
If, according to your Network Access Control policies, the out-of-dated clients are going to a quarantine VLAN, ensure in that VLAN there's an internal LiveUpdate server (to be set with LiveUpdate Administrator, LUA) and the SEP clients know about it via policies. Once they get in touch with the LUA, they will get the newest content and you will then move them to the production VLAN.
You may implement those things much easier with our Symantec Network Access Control solutions.