Forefront Client Security Automatic Update

I am sure many IT guys want to be able to automatically update Forefront client Security without using WSUS or standard windows updates, so here's what I need and hopefully it'll help those who have the same need.

to update manually, you go to this link:
this link will prompt you to download a file, and then after you clink on Run, it downloads the file to a temp directory, and then you get another prompt to run the file, and this is it.

this updates FCS.

what I'd like to do is have some sort of scripts that would actually go to this link and run the  file automatically, so that we can schedule a job to run once or twice a day to update the servers.

so I am looking for that expert who would help me get this script.

any help is much appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hmm...  That will get you the latest definitions but when FCS is initially installed isn't the client version/engine version and then it updates itself when you run Microsoft update to the latest client/engine version (clientsetup.exe) AND definition updates (mpam-fe.exe)

In any event, let's suppose this works, and it probably does, this is what I would do:
1. create a file share or an existing share that every user has access to (\\servername\shares)
2. put the updated file there every night or whenever
3. use a gpo login script to deploy file (or create sched tasks, etc)

all your script would be is a simple .bat file:

start \\servername\shares\mpam-fe.exe

only problem you might run into is user prompts.. there might be a silent switch for the .exe


Once you enable Microsoft (not Windows) Update and update Forefront, even without WSUS it should update itself.

 If you don't want to use WSUS/Forefront Client Security Management Console just install Forefront using the /NOMOM switch.  Once it's installed, update via Microsoft Update and then it should update itself...

Here are some instructions I sent out to some of our IT techs that were deploying FCS on non-domained machines (no WSUS/FCS Mgmt). I created a self extracting .exe with /nomom switch built in.  Instructions are for XP but Vista/7 just different place to go for Microsoft Updates ('Find updates for more products' in Windows Update control panel):

1.       Enable Microsoft Update.
Most machines, by default, have Automatic Updates/Windows Update enabled but may not have Microsoft Updates enabled.   Automatic Updates by default only update OS components and do not include all Microsoft products (like MS Office, Forefront, etc).
To enable Microsoft Updates go to the following website and follow the prompts:
2.       Installing Forefront Client Security
There is a self extracting .exe out on \\SERVERNAME\SHARE\Frontfront.exe that will install Microsoft Forefront Client Security using the /NOMOM (unmanaged) switch.  You can copy this file to a USB drive or to another location to install on a non-domain machine.  If you’d like to access \\SERVERNAME from a non-domain machine that is on our network using \\ and entering valid domain credentials will also work.
3.       Updating Forefront Client Security
Once you have installed Microsoft Forefront Client Security you will notice that the icon in the system tray is orange with an exclamation point. This means Forefront needs to be updates via Microsoft Update. Updating through the Forefront application will not work.  Once Microsoft Updates in enabled go to and follow the prompts to install Forefront updates.  If you do not wish to update other   products (Windows Updates, Office, etc) just unselect all and only choose the Items under “Microsoft Forefront”.
After you have completed these steps Forefront should automatically update itself without worry.
MedquestAuthor Commented:
I appreciate all the comments, but I think I found a solution for this.
I had a script to download the file from microsoft ftp site:
and then it runs the file with the /Q switch.
if you guys need a copy of this script, please let me know and I'll be more than happy to share it with you all.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Any chance I could have a copy of that script? :P
I'd love a copy of that script as well.
I'm looking to run it as a Task in SCCM...and this would be a great start.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.