Deven indicated that the Wizard should dupe path rules for wildcard matching

"\?\C:\data\test\bin\SimpleScript384.vbs" <- Path under evaluation
C:\data\test\bin* <- Applicable allow rule

result = script == denied

if there was a second applicable allow rule, \?\C:\data\test\bin*, result = script == allowed

1. Open the WDAC Policy Wizard -> Policy Creator -> Base Policy ->Template. Build the policy.

2. Open the WDAC Policy Wizard again -> Policy Creator -> Supplemental Policy (Link to the Base Policy created in the last step) -> Proceed to the 'Signing Rules' section.

The table is full of the rules defined in the Base from step 1. When building a supplemental, should start from an empty supplemental.

Or at least notify user that there are multiple sigs

Using the flow for creating a new Supplemental Policy appears to work fine until I hit the step of actually "building" it. An error then occurs. The only information provided is this:

Setting additional parameters:
100% [progress bar]

Error During Build
Output location:
Unable to locate

The same has occurred with three out of my three different attempts to build supplemental policies, trying different rule configurations for each.

System Info:
Windows 10 Enterprise x64
v. 1903 (18362.836)

Hello,

Thanks for the tool - very handy! While creating a new policy (Base template, Signed and Reputable Mode).
I clicked browse to inspect the file path, and clicked cancel. An exception was raised (Exception trace below).
User can continue, but it would be good to keep the previous value in case the SelectionStart returns -1 or handle the exception.

I am not sure what source file needs to be modified, there are multiple references to "SelectionStart" in different form views.
Let me know if you need more details.
Thanks!

Trace:

Exception Occurred 
InvalidArgument=Value of "-1" is not valid for 'SelectionStart'. 
Parameter name: SelectionStart.

See the end of this message for details on invoking 
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.ArgumentOutOfRangeException: InvalidArgument=Value of '-1' is not valid for 'SelectionStart'.
Parameter name: SelectionStart
   at System.Windows.Forms.TextBoxBase.set_SelectionStart(Int32 value)
   at WDAC_Wizard.TemplatePage.textBoxPolicyPath_TextChanged(Object sender, EventArgs e)
   at System.Windows.Forms.Control.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.4420.0 built by: NET48REL1LAST_C
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
WDAC Wizard
    Assembly Version: 1.6.6.0
    Win32 Version: 1.6.6.0
    CodeBase: file:///C:/Program%20Files/WindowsApps/Microsoft.WDAC.WDACWizard_1.6.6.0_x64__8wekyb3d8bbwe/WDAC%20Wizard.exe
----------------------------------------
System.Windows.Forms
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.4400.0 built by: NET48REL1LAST_C
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.4360.0 built by: NET48REL1LAST_C
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.4390.0 built by: NET48REL1LAST_C
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.4190.0 built by: NET48REL1LAST_B
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Core
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.4465.0 built by: NET48REL1LAST_B
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System.Xml
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.3752.0 built by: NET48REL1
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.3752.0 built by: NET48REL1
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

Documenting as "Allow WDAC to use plug-ins"
Topic: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules

Thanks for reporting this. I will file a bug on myself to investigate tomorrow. I think the issue is I have an older code integrity schema that is being serialized and I need to update to the latest schema. So when the Wizard parses the xml to set the UI, it does not understand "Treat Revoked as Unsigned" and sets the default state in the UI (disabled).

Will update you by next week!

Thanks,
Jordan

Hi Jordan,

Small finding re editing policies in the wizard (1.6.5.2.22):

created policy with “Treat Revoked as Unsigned” enabled
verified setting is in the XML
loaded the policy into the wizard
Treat Revoked As Unsigned is no longer enabled in the UI?

Curiously, if I then next-next-finish (leaving TraU disabled), the setting is again in the XML, but at the top of the list of settings?

In other words: once the setting is in an XML, there is no way of getting rid of it, at least not in the Wizard.

I am using the latest version 1.6.4. I understand that with version 1.6.3, you have added the ability to create file rule exceptions. I just finally got a chance to start playing around with those rules now.

However, I have tried about a dozen different combinations of file rule exceptions to try within the UI but none of the exceptions survive through to the XML output. The rules all show in the UI, but the XML file output only ever shows the base rule without any of the exceptions. I've tried almost all possibilities in the UI regarding exceptions and they all unfortunately fail to get to the XML.

The UI for custom rules (including exceptions) is fantastic, by the way.

On a side note, is there any Microsoft documentation for how to manually create these exception rules? Example XML structures to follow?

Thank you.

EDIT: While the bug still remains, I just found the answer to my question about manually creating WDAC exception rules and I will share it here just in case anyone else finds it beneficial. The manual method with exceptions can be used for now until the bug within the WDAC Wizard app is fixed.

Link: MicrosoftDocs/windows-powershell-docs#2365

https://github.com/MicrosoftDocs/windows-powershell-docs/blob/master/docset/winserver2019-ps/configci/New-CIPolicy.md#example-4-create-a-policy-with-exception-rules

and

https://github.com/MicrosoftDocs/windows-powershell-docs/blob/master/docset/winserver2022-ps/configci/New-CIPolicy.md#example-4-create-a-policy-with-exception-rules

Building a new base policy stalls/fails on my machine (win10 2004) when adding custom allow rules (path based)

Error During Build
Output location:
Unable to locate

Package inspector listens/monitors a volume
Start installation
Creates catalog (hash rules)
Import the catalog to create rules

We had a call with a customer today working on policies for Server Core and Jeffrey focused on using catalogs vs AppLocker MI so I think it would be something to explore to make the process a little easier with the WDAC Wizard. If you could hit a button, do what you need to do, then hit the button again to stop recording and then the tool show you the output of the CDF along with automating the signature process if you approve, that could be helpful... What do you think Bella?

​
but there are a lot of components in that including the PackageInspector and signtool

Event log --> catalogs (hashes of the apps to allowlist). Sign the catalog to avoid having to amend the policy.

after successfully created the policy, no xml output file show.

Are these recommendations missing from the templates?

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

This is being done separately (two separate Deny rules) for each of the below hashes:

Hashes: Refreshfiles.exe- F625D543E697F129BC4942632BCF226397AE9679D381C7D2B5515777E7F36B3F Git-2.35.1-64-bit (1).exe' - 5D66948E7ADA0AB184B2745FDF6E11843443A97655891C3C6268B5985B88BF4F

When I click the "Download the Installer" button and allow it to open App Installer, I get an App Installer window with the message "Cannot open app package". The reason shown is "The ms-appinstaller protocol has been disabled. Please ask the vendor to update the weblink. For more information go to aka.ms/ms-appinstaller-disabled."

The link goes to a docs page with this note at the top:

The ms-appinstaller scheme(protocol) has been disabled. This means App Installer will not be able to install an app directly from a web server and it will need to be downloaded first. Update the link on your website by removing 'ms-appinstaller:?source=' so that the MSIX package or.appinstaller file will be downloaded. This may increase the download size for some packages. The user can then install the package with App Installer.

As per the docs it should generate a policy file in XML and binary format.
https://github.com/MicrosoftDocs/WDAC-Toolkit/blob/master/WDAC-Policy-Wizard/docs/using/base-policy.md#5-building-the-policy

But at least in my case, it only generates the XML file:

I've tried to run the WDAC wizard as an admin but had the same result > no binary file.
Windows 10 x64 20H2 virtual machine, latest wizard version

When using the tool to create a supplemental policy, all base policy rules by default are included in the supplemental policy.

If you didn't remove each of these before adding additional rules, this could lead to a mismatch as if you ever needed to change a base policy rule you'd then have to edit all your supplementary rules to ensure there isn't a conflict. Could also result in supplemental policies exceeding max size.

If you have a large base policy, each time you create a new supplementary policy it can result in a prolonged task of removing each of the base rules. Edit: Just tried this and even if you remove the base policy rules they're still added when generating the XML file

Suggested feature “Scan application folder”

Scan the folder
Generate the binary rules
Set the rule Level per rule

By definition, path rules cannot be excepted. Just gray out the next button for any Level=Path

Edit the above example policy from a Win10 enterprise 20H2 using WDAC Policy Wizard 1.6.4.1.22.
Accept the defaults and continue through the wizard.
Ensure the policy rule for User Mode Code Integrity is switched to on (it is by default)
Complete the wizard with no additional rules
Deploy the resulting .CIP (I used GPO)
System Information confirms that Windows Defender Application Control User Mode Policy is off

Compiling the XML generated by the above process using PowerShell results in the same

Compiling the source example policy DefaultWindows_Enforced.xml untouched by WDAC Policy Wizard, deploying it with the same method, System Information confirms that Windows Defender Application Control User Mode Policy is Enforced.

Wizard should use a different default filter. Maybe All Files by default

When choosing a file/folder path rule, if you close the pop-up dialog box to choose the file/folder path, and then manually type the path to the folder/file (for example if referencing an SMB path that you don't necessarily have access to on your workstation). When you then click create rule, the value in the Reference File rule isn't added accurately to the policy signing rules list.

Procedure is here: Configure a WDAC managed installer (Windows 10) - Windows security | Microsoft Docs

1. cmdlet: Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
2. Replace this "RuleCollection Type="exe" with RuleCollection Type="ManagedInstaller"

Hi when trying to upload an XML output into intune it gives an error of Malformed XML. When I convert the XML to a Bin and upload it is fine but it does not apply the setting due to malformed syntax.

I am uploading the XML unmodified, and converting the file unmodified. Are there any suggestions on what may be causing this behavior?

Hi,

I tried to test the AppLocker policy converter tool recently uploaded here, and it seems I cannot make it work on my work computer.

First, I had to install the .NET Runtime 6.0.7, otherwise I got an error message while trying to launch the executable. Now that the runtime is installed, I get an error message about hostpolicy.dll:

Cannot use file stream for [path\AppLocker-Policy-Converter.deps.json]: No such file or directory
A fatal error was encountered. The library 'hostpolicy.dll' required to execute the application was not found in 'C:\Program Files\dotnet\'.
Failed to run as a self-contained app.
  - The application was run as a self-contained app because 'path\AppLocker-Policy-Converter.runtimeconfig.json' was not found.
  - If this should be a framework-dependent app, add the 'path\AppLocker-Converter\AppLocker-Policy-Converter.runtimeconfig.json' file and specify the appropriate framework.

Is it expected, and do I need to install another dependency ?

I have a rule that allows c:\program files* and c:\program files (x86)* since none of our end users have admin rights so the only way to install apps is through Company Portal, or pushed as required apps from Intune. One of the apps we're deploying has a plethora of DLLs that are in the C:\program files (x86)(vendor)(title) and subfolders of title. The app refuses to launch when installed as DLLs are being blocked (seeing the event log errors under CodeIntegrity). Specific allow-listing of a single DLL file is possible, but with over 50 DLL files supporting the app (and of course they're unsigned!) the folder allow-listing is preferable and needs to work.

Complete new policy choosing legacy policy format. This should produce a policy with rather than / (or Base+PolicyIDs that match the legacy PolicyTypeID GUID. Deploying this policy to downlevel (pre-1903) clients will not work. @jgeurten

if the base policy ID changes, as you would know, the supplemental policy linkage breaks and for us that would mean we’d get a whole of apps being blocked.

When create custom FilePath Rule, selected Option Folder, However Policy XML output did not have correct FilePath which missing the wildcard at the end.

When editing an existing supplemental policy, upon saving it converts the policy to a base policy.

While the Wizard sets the "Allow supplemental rule-option" in the base during the new supplemental policy flow, it does not output the edited base for the user.

https://github.com/MicrosoftDocs/WDAC-Toolkit/blob/master/WDAC-Policy-Wizard/docs/using/base-policy.md
https://github.com/MicrosoftDocs/WDAC-Toolkit/blob/master/WDAC-Policy-Wizard/docs/using/supplemental-policy.md

Both files state:

But as per the "decision guide" within WDAC wizard, the "Windows Works Mode" is the one with the smallest Circle-of-Trust and the pre-inlcuded stuff is not aligned with the documentation.

+It might be helpful to align the docs here with the official docs for base policy templates (because the official docs are the ones that are linked in the wizard itself):
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies
As per the official docs I'd assume that WDAC wizard uses those default Windows templates as a baseline but I might be wrong. At least it's confusing (just for me maybe? ;))

$events = Get-WinEvent -Path C:\Users\jsuther\Desktop\CIDiag\CIDiag\CIOperational.evtx

<#
$justConfigCiBlockEvents = $events | ?{$.ID.Equals(3077)}
$justConfigCiBlockEvents [0].Properties
//Properties 8 = sha1 hash, to pretty print it:
PS C:> ($justConfigCiBlockEvents [0].Properties[8].Value | foreach {$.ToString("X2")}) -join ""
4D86861EC795685F3680C44137B17E0065D4E49A
//filter by hash
$justMyHashes = $justConfigCiBlockEvents | ?{(($.Properties[8].Value | foreach {$.ToString("X2")}) -join "").Equals("4D86861EC795685F3680C44137B17E0065D4E49A")}
//dump usn
$justMyHashes.Properties[11]

$events | ?{$_.Level.Equals(4)}
#>

$events.ActivityId

The first two pages in the "edit existing policy" flow worked fine. But when the app attempted to load the next step (which I was, ironically, going to use to add some signer rules) the following error occurred:

************** Exception Text **************
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
Parameter name: value
at System.Windows.Forms.DataGridView.set_FirstDisplayedScrollingRowIndex(Int32 value)
at WDAC_Wizard.SigningRules_Control.displayRules()
at WDAC_Wizard.SigningRules_Control.SigningRules_Control_Load(Object sender, EventArgs e)
at System.Windows.Forms.UserControl.OnLoad(EventArgs e)
at System.Windows.Forms.UserControl.OnCreateControl()
at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
at System.Windows.Forms.Control.CreateControl()
at System.Windows.Forms.Control.ControlCollection.Add(Control value)
at System.Windows.Forms.Form.ControlCollection.Add(Control value)
at WDAC_Wizard.MainWindow.pageController(Object sender, EventArgs e)
at WDAC_Wizard.MainWindow.button_Next_Click(Object sender, EventArgs e)
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4180.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll

WDAC Wizard
Assembly Version: 1.4.9.0
Win32 Version: 1.4.9
CodeBase: file:///C:/Program%20Files/WindowsApps/MicrosoftCorporation.WDAC.WDACWizard_1.4.10.0_x64__8wekyb3d8bbwe/WDAC%20Wizard.exe

System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4150.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll

System
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4001.0 built by: NET48REL1LAST_C
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll

System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3752.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll

System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3752.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll

System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3752.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll

Accessibility
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3752.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll

System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4180.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

Try browsing for All Files in C:\Windows\System32\drivers during custom rule creation

Create a policy in WDAC policy wizard
Select Single Policy Format
Select Allow Microsoft Mode
Add custom Rule
One Allow rule for a specific path
One Deny rule for a specific path
Next

Check the policy.xml file for the custom rules

Now, click on Home tab and go to Policy Editor
Open the above created policy file
Select your custom Deny rule and click Remove Item
Add different custom rule and click Next
Now, check the policy.xml file. It will have 3 custom rules including the one which you have removed.
Remove Item functionality is not working while editing the policy.

Reported through ADO #38019991

Allow COM object registration in a WDAC policy (Windows 10) - Windows security | Microsoft Docs

// Allows registration of all COM object GUIDs in any provider
Set-CIPolicySetting -FilePath C:\Users\jogeurte.REDMOND\Documents\AllowMicrosoft012121_1.xml -Provider "AllHostIds" -Key "AllKeys" -ValueName "EnterpriseDefinedClsId" -ValueType Boolean -Value true

// Blocks a specific COM object from being registered via Internet Explorer (IE)
Set-CIPolicySetting -FilePath C:\Users\jogeurte.REDMOND\Documents\AllowMicrosoft012121_1.xml -Provider "IE" -Key "{00000000-4444-4444-1616-161616161616}" -ValueName "EnterpriseDefinedClsId" -ValueType Boolean -Value false

//Allows a specific COM object to register in PowerShell
Set-CIPolicySetting -FilePath C:\Users\jogeurte.REDMOND\Documents\AllowMicrosoft012121_1.xml -Provider "PowerShell" -Key "{33333333-4444-4444-1616-161616161616}" -ValueName "EnterpriseDefinedClsId" -ValueType Boolean -Value true

Creating a publisher rule, and searching for a reference binary. When the explorer window is set to search for "All Binary Files", the only files that pop up are folders.

When I switch to something more specific (eg. "System Files"), then all of the binaries appear in the explorer window.

Version 1.6.2

After playing with the new "Convert policy to binary after xml creation" setting briefly, I realized that the setting kept getting turned off nearly a dozen times during my initial testing.

It turns out that the Settings button is wiping out the settings similar to the Reset button.

Repro: Change any setting within the Application Settings and then press the Settings button twice.

EDIT: It seems that any time you visit the Application Settings section, it wipes out the \Packages\Microsoft.WDAC.WDACWizard_8wekyb3d8bbwe\LocalCache\Local\Microsoft_Inc\WDAC_Wizard.exe_Url_ulggy3tr0aioq40kocvohw5yxn3tyz2r\1.6.2.0\user.config file everytime. Reproducible 100% of the time.

Temporary Workaround: Set your settings once, and do not visit the Application Settings again until a fix is released.