We are in the process of trying to implement Applocker. We are having a problem with EXEs and we are seeing duplicate events logged in the applocker event log, one event saying the executable will be allowed to run and then immediately after (with the same date/time stamp) an event saying the executable won't be allowed to run if the policy was enforced (which it isn't at the moment).
%PROGRAMFILES%\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE was allowed to run.
%PROGRAMFILES%\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
At this point we are only using the default rules that allow files located in program files and windows folders to run and the user is configured as a security group with all of our staff in it.
Can anybody shed any light on why we are seeing the conflicting events? I don't want to enforce the policy because it is unclear what will happen if I do.