If you are looking for a trigger to launch your client update deployment tools/scripts while the VPN is active there are a few options:
1. Enhance your client side script to detect for a valid IP on the Pulse VPN virtual adapter (a valid IP is a good indicator that the Pulse VPN tunnel is setup)
2. Enhance your client side script to ping an internal resource that would only be reachable when tunnel is active. Use the success of ping as a trigger for your script
3. Use the VPN Tunnel role level option "Session start script". This option can trigger a script that is located on the client machine
Additionally if you would like to explore enforcing that a machine is updated with patches you should consider using Host Checker Predefined policies. There are pre-defined policies for most AV products and starting with release 8.1R1 there are predefined policies for a few patch management products.
