If you have an application on a DFS share and utilize Policy Change Requests (PCR), you may find that despite going through the PCR process and the application being allowed to run, the second time it is launched it is blocked.
The issue occurs because the DFS link path (eg. \\testing.com\dfs\data\user01\application.exe) is stored in PCR configuration file after the first launch. Then for the second execution of the application, the DFS link path is resolved to the target folder (\\server01\data\user01\application.exe) which is then compared to the DFS link path in the above XML file. As the DFS link path and the DFS target folder are different, no match is found on the second launch.
This issue has been found in Application Control 10.1 FR2 (10.1.282.0) but it may also apply to other versions.
Luckily there is an Advanced Setting called DFSLinkMatching which will ensure that the path is correctly matched.
You can enable DFSLinkMatching via the following steps:
1. Open your AM configuration.
2. Select the Manage tab and open the Advanced Settings.
3. Select the Custom Settings tab.
4. Click Add, highlight DFSLinkMatching and click Add again.
5. Set DFSLinkMatching to 1 and click OK.
6. Save the configuration and deploy it to a test endpoint.