Hi, I have found that if I allow an installer file (using EXE file hash) to be used, it will typically create a .tmp in the user's %temp% directory and then applocker blocks the file from running in the %temp% location. Not sure how to overcome this, the only way is to then add a file path to %osdrive%\users\<username>\temp\* but I don't want to do this every time a user wants to install this application Any ideas? Is this by design? Thanks Shaun

there are 2 possible solutions: 1) change policy enforcement from Enforce to Audit Only. 2) grant user local administrator permissions and provide instructions how to change policy enrocement. This is not recommended for enterprises as domain users should not install any application without prior approval. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com