Windows Vista UAC is not always a predictable beast.
Today I found out that if an executable doesn't set level="asInvoker" in its manifest, UAC confirmation will kick in if any of the following substrings appear in the filename:
A digital signature does not affect this behavior.
Besides adding "asInvoker" to the manifest, another workaround is to rename the executable to remove the trigger word. For example, renaming MyProductUpdater.exe to MyProductRenewal.exe will (for now) bypass the UAC logic.
Note that this in no way bypasses the protections of UAC. Functions which perform some task which requires UAC-approval will simply fail. This will only be useful if you have an update tool which only updates user-owned resources, since that doesn't require UAC-approval.