Microsoft frequently draws the ire of hapless users when it incapacitates unsuspecting customers' PCs with bad security updates. Just a few months ago, for example, security bulletin MS10-015 offered a patch that automatically turned some Windows XP PCs into big blue-screen bricks - no user intervention required. Microsoft also has a nasty habit of pushing all sorts of patches down the Automatic Updates chute, even when the update could hardly be termed "critical."
Microsoft's demonstrated inability to produce bug-free Black Tuesday security patches and an increasing number of problems with Second Tuesday non-security patching have led many Windows users to turn off Automatic Updates.
Many of us who've been bitten by buggy patches recommend that instead of blithely applying every patch that Microsoft shoves out the door, capable users should set Windows Update or Microsoft Update to "Notify but don't download" or "Download but don't install." (The exact terminology varies depending on the version of Windows.) Then, when the pioneers have the arrows in their backs, apply the latest updates.
Enter Microsoft Security Essentials, a widely respected and in some cases highly recommended anti-malware product from Microsoft. I use MSE and endorse it in my books because it's capable, quick, light, unobtrustive, and free.
There's just one little problem. If you've switched Microsoft Update or Windows Update to "Notify but don't download" or "Download but don't install," running the MSE installer zaps out your setting and switches Windows over to Automatic Updates. More to the point, the MSE installer does its little bit of mischief without warning or notification and without asking for permission.
As a result, many people who install MSE are floored to discover - usually after a batch of security patches gets automatically applied - that their carefully considered Automatic Update setting has been trampled.
The solution, once you realize that your Automatic Update setting has been hijacked, is to simply go back into Windows and change it. The change will stick: MSE itself doesn't flip it back. Only the MSE installer takes such liberties.
MSE uses the Microsoft Update/Windows Update mechanism to keep itself updated with the latest signature files, but it bypasses the Automatic Update setting in Windows. If you switch to "Notify but don't download," for example, MSE will still get updated once a day the way it should.
Why does the installer take it upon itself to change the setting? Only Redmond knows.