I was with a customer recently who found management of their Forefront updates to be problematic and they were looking for an alternative method to the general recommendation (http://technet.microsoft.com/en-us/library/dd185652.aspx). They had actually come to this idea on their own then asked my input, but if they had asked me first this is the same solution I would have proposed.
Setup a script to download the updates (see http://support.microsoft.com/kb/935934 to get you started) and run that script as a scheduled task (say…, every 4 hours). In SCCM create a package that points to the source location where your updates are downloading to. Set a schedule to update your distribution points on a regular interval (such as every 4 hours, about 10 minutes after your download is kicked off). Create a program that silently installs the update. Advertise that update with a re-occurring schedule that runs the update program on the client on a regular interval, such as every 4 hours and about 45 minutes after your initial download via your script (depending on your DP replication times).
Tada…, all your clients now have up-to-date forefront definitions, all done through the bandwidth controlled mechanism of SCCM.
NOTE: The time interval I gave was just for discussion and example purpose. Depending on your environment, size and latency of your SCCM hierarchy, etc. you may need to adjust that time interval and/or set up separate downloads and packages for down level child sites.
A new, and more in-depth, discussion on how to do this was posted at social.technet.microsoft.com/.../automatically-deploying-forefront-endpoint-protection-updates-via-system-center-configuration-manager.aspx