An alternative way to handle Forefront updates

I was with a customer recently who found management of their Forefront updates to be problematic and they were looking for an alternative method to the general recommendation (https://technet.microsoft.com/en-us/library/dd185652.aspx).  They had actually come to this idea on their own then asked my input, but if they had asked me first this is the same solution I would have proposed.

Setup a script to download the updates (see https://support.microsoft.com/kb/935934 to get you started) and run that script as a scheduled task (say…, every 4 hours).  In SCCM create a package that points to the source location where your updates are downloading to.  Set a schedule to update your distribution points on a regular interval (such as every 4 hours, about 10 minutes after your download is kicked off).  Create a program that silently installs the update. Advertise that update with a re-occurring schedule that runs the update program on the client on a regular interval, such as every 4 hours and about 45 minutes after your initial download via your script (depending on your DP replication times).

Tada…, all your clients now have up-to-date forefront definitions, all done through the bandwidth controlled mechanism of SCCM.

NOTE: The time interval I gave was just for discussion and example purpose.  Depending on your environment, size and latency of your SCCM hierarchy, etc. you may need to adjust that time interval and/or set up separate downloads and packages for down level child sites.

Comments