Upon many talks from and within the Mac Admin community about XProtect and Gatekeeper updates, it was pointed out that within a few scenarios, the updates don’t apply.
Scenario 1: When the Auto check for Apple Updates is disabled, (softwareupdate Schedule off), the critical updates do not apply.
When you do sudo softwareupdate –background-critical while your auto update checks are disabled, the critical updates do not apply.(This is automatically check for updates, not auto install updates)
Once you turn the settings back on and run the same command, you see a whole lot more than before.
A lot more traffic, including download of XProtectConfigData.
The next step was to ensure I could not only verify the state of the settings in OSX but also run the command that would update the security data.
I wrote a couple of scripts to address this situation and they are available on my github
The first Update_Status.sh is an extension attribute that will check:
-Automatic Check for Updates
-Install Critical Updates
Once set as an attribute, you will get a report at every inventory and I also added a command to run the background-critical command to ensure the critical updates are been taken care of.
The second part is to setup smart group which will grab all clients where the Attribute result are “Disabled”
That smart group will be the scope of a policy set to run on recurring with ongoing frequency.
It will enable the auto updates and also run the critical updates.
With that, all my clients are taking care of.
Once a client is identified via the inventory collection, the smart group is updated and the policy will run to set the settings back into compliance.
The blabs of a Tech Junkie 
Pingback: Force Install macOS Update - Rui Qiu's Blog