Here is the powershell script I have running hourly on a server, then I just point my clients to it. The big point was NOT to extract the file. Windows Defender points to the exe itself.
$vdmpathbase = 'E:\VirusDef\latest\x64'$vdmpackage = $vdmpathbase +'\mpam-fe.exe'cmd /c "del $vdmpackage /q"Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage