This host integrity policy is a better option than this. The HI policy runs on clients, can detect outdated machines, and can force teh machine itself to go out and update.
First priority should be to indentify why these machines are going out of date.