Lesson 2: Managing Disks CHAPTER 4 247
Practice Configuring Access Policy and Converting a Disk
In this practice, you use the Local Group Policy Editor to configure a computer policy that
denies write access to USB flash memory devices. You then use the Diskpart command-line
utility to convert a basic disk to dynamic.
exercise 1 Configuring Write Access to USB Flash Memory Devices
In this exercise, you disable write access to USB flash memory devices. You then remove this
configuration setting.
1. Ensure you have a USB flash memory device connected to your computer.
2. Log on to the Canberra computer with the Kim_Akers account.
3. Click Start, and in the Start Search box, enter gpedit.msc. This opens the Local Group
Policy Editor.
4. In the left pane of the Local Group Policy Editor, expand Computer Configuration and
then expand Administrative Templates.
5. Expand System and click Removable Storage Access.
6. Click Standard to select the Standard tab on the right pane. You see a screen similar to
Figure 4-34.
7. In the right pane, double-click Removable Disks: Deny Write Access.
8. Select Enabled, as shown in Figure 4-39. Click OK.
FIGURE 4-39 Enabling the Removable Disks: Deny Write Access policy
2 4 8 CHAPTER 4 Managing Devices and Disks
9. Check that you can no longer write to the USB flash memory device. You might have to
remove the device and reinsert it to see it in the Computer console.
10. In the Local Group Policy Editor, double-click Removable Disks: Deny Write Access.
11. Select Not Configured. Click OK.
12. Check that you can now write to the USB flash memory device. As before, you might
have to remove the device and reinsert it to see it in the Computer console.
exercise 2 Converting a Basic Disk to Dynamic
Converting a basic disk to dynamic is typically a safe procedure that does not affect the
information on the disk. Nevertheless, before you attempt this procedure, it is a good idea to
back up any important files on the disk. If you have two disks on your computer, choose the

disk that does not contain your operating system.
1. If necessary, log on to the Canberra computer with the Kim_Akers account.
2. On the All Programs/Accessories menu, right-click Command Prompt and click Run As
Administrator. If necessary, click OK to close the UAC dialog box.
3. Enter diskpart.
4. At the DISKPART> prompt, enter list disk and note the number of the disk you want to
convert.
5. At the DISKPART> prompt, enter select disk <disknumber>. Your screen should look
similar to Figure 4-40.
FIGURE 4-40 Selecting a disk to convert
6. At the DISKPART> prompt, enter convert dynamic.
Lesson Summary
n
You can use the Disk Management console or the Diskpart command-line tool to
manage disks, partitions, and volumes on a computer running Windows 7.
n
You can use Group Policy to control access to removable devices.
Lesson 2: Managing Disks CHAPTER 4 249
n
Windows 7 supports basic disks, dynamic disks, the MBR partition type, and the GPT
partition type and allows you to convert from one to the other.
n
Windows 7 offers software RAID-0, RAID-1, and RAID-5 volumes. You can also create
simple and spanned volumes. You can shrink or expand a volume without needing to
use third-party tools.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2,
“Managing Disks.” The questions are also available on the companion DVD if you prefer to
review them in electronic form.
note ANSWERS

Answers to these questions and explanations of why each answer choice is correct or
incorrect are located in the “Answers” section at the end of the book.
1. Which Diskpart command converts an MBR disk to a GPT disk?
a. convert gpt
B. convert mbr
c. convert basic
D. convert dynamic
2. You require fault tolerance for your operating system so that your computer running
Windows 7 Home Premium can still boot up if a disk fails. You have two disks and
unallocated space on your second disk. What do you do?
a. Create a VHD and install an image of your computer on the VHD. Use BCDEdit to
make the VHD bootable.
B. Create a RAID-0 volume.
c. Create a RAID-1 volume.
D. Create a RAID-5 volume.
3. You want to prohibit read, write, and execute access to all types of external storage
devices. What computer policy setting do you enable?
a. All Removable Storage: Allow Direct Access In Remote Sessions
B. All Removable Storage Classes: Deny All Access
c. Removable Disks: Deny Read Access
D. Removable Disks: Deny Write Access
4. You are using the Diskpart tool to create a RAID-0 volume from unallocated space on
Disks 1, 2, and 3. You want the volume to be as large as possible. What command do
you enter?
a. create volume stripe size=0 disk=1,2,3
B. create volume stripe disk=1,2,3
2 5 0 CHAPTER 4 Managing Devices and Disks
c. create volume raid size=0 disk=1,2,3
D. create volume raid disk=1,2,3
5. You are moving a dynamic volume from the Canberra computer running Windows 7 to

the Aberdeen computer running Windows 7. The disk had been allocated drive letter
H: on Canberra. Drives C:, D:, and E: already exist on Aberdeen. You have not config-
ured Aberdeen to prevent new volumes from being added to the system. What drive
letter is allocated to the disk on Aberdeen?
a. The disk is not mounted, and no drive letter is allocated.
B. F:
c. G:
D. H:
Key Terms CHAPTER 4 251
Chapter Review
To further practice and reinforce the skills you learned in this chapter, you can perform the
following tasks:
n
Review the chapter summary.
n
Review the list of key terms introduced in this chapter.
n
Complete the case scenarios. These scenarios set up real-word situations involving the
topics of this chapter and ask you to create a solution.
n
Complete the suggested practices.
n
Take a practice test.
Chapter Summary
n
If a device is not PnP, you need to supply administrator credentials to install it. You can
prestage a device driver and (if necessary) digitally sign it so non-administrators can
install it.
n
You can prevent drivers downloading from Windows Update and installing

automatically. You can also remove the Windows Update site from the search path for
device drivers not in the device driver store. You can update, disable (or stop), uninstall,
or roll back device drivers.
n
Windows 7 enables you to manage disks, partitions, and volumes and to control access
to removable devices. You can convert one disk type to another and one partition type
to another. You can shrink or expand volumes.
n
Windows 7 supports single, spanned, RAID-0, RAID-1, and RAID-5 volumes.
Key Terms
Do you know what these key terms mean? You can check your answers by looking up the
terms in the glossary at the end of the book.
n
defragmentation
n
driver store
n
staging
n
Redundant Array of Independent Disks (RAID)
n
Trusted Publisher store
2 5 2 CHAPTER 4 Managing Devices and Disks
Case Scenarios
In the following case scenarios, you apply what you’ve learned about deploying system
images. You can find answers to these questions in the “Answers” section at the end of this
book.
Case Scenario 1: Enforcing a Driver Signing Policy
You are a senior systems administrator at the A. Datum Corporation. A. Datum’s written
company policy states that only drivers that have been through the WHQL evaluation process

and have been digitally signed by Microsoft should be installed on the production network.
You have a test network completely separate from the production network on which you test
software, including currently unsigned device drivers. You suspect that one of your assistants
has installed an unsigned driver on a computer on the production network and as a result,
the video card on that computer is not working properly.
Answer the following questions:
1. How do you check the DirectX video card and discover whether the driver is not
WHQL-approved and if there are any other problems?
2. How do you check there are no other unsigned drivers installed on the computer?
3. If the problem is not the driver, what tool can you use to determine if there is
a resource clash with other hardware?
4. The unsigned driver in question worked fine on your test network. You want to test it
again more thoroughly under stress conditions, such as low resources. What tool can
you use to do this?
Case Scenario 2: Managing Disks
You have configured a computer running Windows 7 Enterprise and added three hard disks.
Drive 0 is the original disk. It holds the operating system on the C: drive. It is a 200-GB disk and
has no unallocated space. Drive 1 is a 200-GB drive, Drive 2 is a 400-GB drive, and Drive 3 is
a 200-GB drive. Currently, all space on Disks 1, 2, and 3 is unallocated. You want to ensure fault
tolerance for both your operating system and your data. You also want to reduce the time
taken to access data.
Answer the following questions:
1. What type of volume would you create to hold your operating system, and on which
disks would you create it?
2. What type of volume would you create to hold your data, and on which disks would
you create it?
3. Given the answer to question 2, what would be the size of the usable data storage on
your data volume?
Take a Practice Test CHAPTER 4 253
Suggested Practices

To help you master the exam objectives presented in this chapter, complete the following
tasks.
Investigate the Group Policies Available for Managing
Device Installation
n
Practice 1 Investigate the available policies in the Local Group Policy Editor. Double-
clicking any policy enables you to read a detailed description. In particular, browse to
Computer Management, Administrative Templates, System, and investigate the policies
under Removable Storage Access, Driver Installation, Device Installation, and Device
Installation Restrictions.
Use the Driver Verifier Monitor Tool
n
Practice 1 Use the Driver Verifier Monitor to test a chosen driver under stress
conditions. If you intend to install a third-party device that is not PnP, use the Driver
Verifier Monitor to test the driver the manufacturer provides.
Use Diskpart
n
Practice 1 The Diskpart tool is widely used for disk management. Use the tool until
you are familiar with its parameters and processes, such as selecting (focusing) on
a disk or volume before carrying out operations on it. Look at how you would create
scripts using the tool and the use of the noerr parameter.
Take a Practice Test
The practice tests on this book’s companion DVD offer many options. For example, you
can test yourself on just one exam objective, or you can test yourself on all the 70-680
certification exam content. You can set up the test so that it closely simulates the experience
of taking a certification exam, or you can set it up in study mode so that you can look at the
correct answers and explanations after you answer each question.
More Info PRACTICE TESTS
For details about all the practice test options available, see the section entitled “How to
Use the Practice Tests,” in the Introduction to this book.


CHAPTER 5 255
CHAPTER 5
Managing Applications
O
ne of the most important aspects of migrating to a new operating system is ensuring
that all of the business-critical applications that functioned on the previous operating
system function on computers running the new operating system. Organizations are
understandably unwilling to migrate to a new operating system if it means that they will
be unable to run the applications necessary to perform their important business activities.
Compatibility is a big issue with the adoption of Windows 7 because many organizations
will be migrating from Windows XP. Applications designed to run on Windows XP
sometimes do not run on Windows 7 because of compatibility problems. Windows 7
includes several application compatibility features that allow administrators to configure the
operating system in such a way so that these older applications can be run, which allows
organizations that rely on these older applications to move their computers to Windows 7.
Just as it is important to ensure that critical business applications function on a new
operating system, it is also important to block users from executing unauthorized applications
that may disrupt a business environment. There can be many reasons for only allowing a list
of authorized applications to execute on a computer. These reasons range from securing
your environment against malware to ensuring that users are not distracted by productivity-
sapping diversionary applications. Allowing only authorized applications to execute
automatically stops the execution of unauthorized applications, such as malware, games, and
file sharing programs.
In this chapter, you learn what steps you can take to resolve application compatibility issues,
from configuring the built-in Windows 7 compatibility modes to using the Windows XP Mode
virtualization option. You also learn how to use AppLocker and Software Restriction Policies to
limit which applications that users can execute on the computers running Windows 7 in your
organization.
Exam objectives in this chapter:

n
Configure application compatibility.
n
Configure application restrictions.
Lessons in this chapter:
n
Lesson 1: Application Compatibility 257
n
Lesson 2: Managing AppLocker and Software
Restriction Policies 271
2 5 6 CHAPTER 5 Managing Applications
Before You Begin
To complete the exercises in the practices in this chapter, you need to have done the following:
n
Install the Windows 7 operating system on a stand-alone client PC, as described in
Chapter 1, “Install, Migrate, or Upgrade to Windows 7.”
n
Download Process Explorer from Microsoft’s Web site. You can find Process Explorer by
navigating to />real World
Orin Thomas
S
oftware Restriction Policies are one of those things that are a great idea in
theory but rather time consuming to implement in practice. The theory is that
you can use Software Restriction Policies to enforce an allow list of applications
that you let run on the computers that are in your organization. If the application
is not on the list, it cannot execute. In practice, this means figuring out precisely
which executable files on your computer you are going to allow. This is not
a simple process because there are a lot of applications hidden in the Windows
folder that are essential to the operation of the computer. The strongest sort of
Software Restriction Policy is the hash rule, which uses a digital fingerprint for file

identification. To use hash rules, you need to generate manually a separate digital
fingerprint for every executable file on your allow list. Needless to say, this takes
even longer than coming up with the list itself. To complicate matters further,
every time you update your software with a patch, you need to recalculate the
hash values for all executable files modified by the update process. This is because
the original digital fingerprint no longer matches the updated files. The process of
generating an allow list and then going out to calculate and recalculate hash values
is one that even the most enthusiastic security administrators find a little tedious.
It results in a very secure environment, but it takes a lot of effort to maintain that
security. AppLocker, which debuts in Windows 7 and Windows Server 2008 R2,
greatly reduces the workload involved in creating an application allow list. There are
wizards that automate the process of creating hash rules. There are also improved
publisher rules that give you the ability to allow-list a particular application and
all later versions of that application. You can build a reference system and then
automatically generate rules for every executable file on it. Needless to say, this
improvement allows the great idea in theory to become a great idea in practice.
Lesson 1: Application Compatibility CHAPTER 5 257
Lesson 1: Application Compatibility
There are significant differences between Windows 7 and earlier Microsoft Windows client
operating systems. Improvements in the way that the operating system handles application
security, with features such as Data Execution Protection and Mandatory Integrity Control,
mean that applications that were able to perform certain functions in earlier versions of
Windows are unable to perform the same functions when run on the Windows 7 platform.
As already mentioned, this can cause problems for administrators trying to migrate
organizations from earlier Windows client operating systems to Windows 7. In this lesson,
you learn about the steps that you can take to resolve application compatibility problems
that stop important applications that worked on one version of Windows from functioning
properly on the Windows 7 platform.
After this lesson, you will be able to:
n

Configure compatibility modes for applications by editing their properties.
n
Configure compatibility fixes using the Application Compatibility Toolkit (ACT)
n
Locate Windows Internet Explorer compatibility issues using the Internet
Explorer Compatibility Test Tool.
Estimated lesson time: 40 minutes
Configuring Compatibility Options
Although many applications that work on Windows XP work without a problem on Windows 7,
a small, but significant, number of mission-critical applications do not. There are several steps
that you can take to configure these applications to run on Windows 7, ranging from simply
letting the Program Compatibility troubleshooter automatically select compatibility settings to
running the application in Windows XP Mode, a fully virtualized operating system environment.
The important thing to realize is that there will be a way to get an incompatible application to
work on a computer running Windows 7, but that it may take some time and effort to find.
The Program Compatibility Troubleshooter
The Program Compatibility troubleshooter, shown in Figure 5-1, is a tool that automatically
attempts to configure application compatibility settings based on a set of tests that it
performs on an application. This is the simplest method of resolving compatibility problems
because the problem is fixed automatically by the operating system. After the Program
Compatibility troubleshooter has determined the solution to the compatibility problem, that
solution is remembered and the application functions without causing problems in the future.
2 5 8 CHAPTER 5 Managing Applications
FIGURE 5-1 Program Compatibility troubleshooter
The Program Compatibility troubleshooter works only with executable files. You can start
it by right-clicking a problematic application shortcut or file and then clicking Troubleshoot
Compatibility. You cannot use the Program Compatibility troubleshooter to troubleshoot the
installation of an installation file that is in .MSI format. The Program Compatibility troubleshooter
solves the most common compatibility problems. If the Program Compatibility troubleshooter
does not resolve the compatibility problem that you are having, it will be necessary to move on

to the next method: manually specifying a built-in compatibility mode.
Built-in Compatibility Modes and Options
Windows 7 includes several built-in compatibility modes that allow you to configure an
application to execute using settings that partially replicate the environment of previous
operating systems. Although these compatibility modes replicate previous operating systems
in some respects, an application that functioned on one of these operating systems does not
always function when you configure it to use a corresponding compatibility mode. You can
configure compatibility modes for applications by editing the application’s properties and
navigating to the Compatibility tab on the Properties dialog box, as shown in Figure 5-2.
You can use the drop-down menu to select from one of the following compatibility
modes:
n
Windows 95
n
Windows 98 / Windows Me
n
Windows NT 4.0 (Service Pack 5)
n
Windows 2000
n
Windows XP (Service Pack 2)
Lesson 1: Application Compatibility CHAPTER 5 259
FIGURE 5-2 Available compatibility modes
n
Windows XP (Service Pack 3)
n
Windows Server 2003 (Service Pack 1)
n
Windows Vista
n

Windows Vista (Service Pack 1)
n
Windows Vista (Service Pack 2)
Windows 7 also supports other compatibility options, which are available on the same tab.
These options include:
n
Run In 256 Colors This option allows you to run applications designed to run with
a limited color pallet to display correctly.
n
Run In 640 x 480 Screen Resolution This option allows applications that are designed
to run in low resolution and do not support higher resolutions to display properly.
n
Disable Visual Themes Visual themes can cause display problems with the menus
and buttons in some applications. Enabling this setting can resolve those problems.
n
Disable Desktop Composition Enabling this setting disables features of the Aero user
interface (UI) such as transparency while the application is active.
n
Disable Display Scaling On High DPI Images Enabling this option turns off automatic
resizing of applications if large-scale fonts are being used. This setting should be
enabled if large-scale fonts adversely impact on application appearance.
2 6 0 CHAPTER 5 Managing Applications
n
Run This Program As An Administrator Some older programs that require
administrative privileges are not able to prompt for elevation, which would normally
result in a user being presented with a User Account Control dialog box. Enabling this
option runs the program as an Administrator. This means that only users that have
administrative privileges on the computer are able to execute this program.
n
Change Settings For All Users By default, when you configure compatibility options,

they only apply to the currently logged on user. You can click the Change Settings For
All Users button to configure compatibility settings for all users of the computer.
When the Program Compatibility troubleshooter runs, it tries to use these options to get
the application to work. If the troubleshooter is unsuccessful, you may have success manually
adjusting these options. You cannot configure the compatibility options of applications
that are included with the Windows operating system. In the event that you are unable to
configure these compatibility options to get the application to work, you can use the ACT
to create a custom application compatibility mode that is more specifically tailored for the
application you are trying to run.
Quick Check
n
Which compatibility option should you enable for a program that needs
administrative privileges but that triggers a User Account Control prompt?
Quick Check Answer
n
You should enable the Run This Program As An Administrator option because this
allows the application to run using elevated privileges. The user is presented with
a User Account Control prompt prior to elevated privileges being granted.
The Application Compatibility Toolkit
The Application Compatibility Toolkit (ACT) is a collection of tools that allows you to
resolve application compatibility issues. You can use the ACT to determine whether existing
applications are compatible with Windows 7 before deploying the new operating system.
The ACT contains the following components:
n
Application Compatibility Manager
n
Compatibility Administrator
n
Internet Explorer Compatibility Test Tool
n

Setup Analysis Tool
n
Standard User Analyzer
You learn more about each of these tools in the rest of this lesson.
Lesson 1: Application Compatibility CHAPTER 5 261
More Info ACT
You can obtain the ACT by going to and searching for the
toolkit by name.
Application Compatibility Manager
The Application Compatibility Manager, shown in Figure 5-3, allows you to configure, collect,
and analyze compatibility data so you can resolve issues prior to deploying Windows 7 in your
organization. The Application Compatibility Manager interfaces with a Microsoft SQL Server
database that stores all the collected compatibility telemetry. You can use the Application
Compatibility Manager to create and deploy data-collection packages. Data-collection packages
gather data about hardware, software, and device information for a group of specified client
computers. This data is forwarded through Application Compatibility Manager to the SQL Server
database, which must be present on your network if you want to use this tool. By analyzing
the contents of the database, you can understand what compatibility issues are likely to be
experienced given the current application deployment within your organization.
FIGURE 5-3 Application Compatibility Manager
Compatibility Administrator
The Compatibility Administrator, shown in Figure 5-4, allows you to resolve a large number
of application compatibility issues that might occur when you attempt to deploy an existing
application on Windows 7. The Compatibility Administrator provides a collection of individual
262 CHAPTER 5 Managing Applications
compatibility fixes and compatibility modes that can resolve problems with existing software.
A large number of existing applications already have compatibility fixes that allow them
to run on the Windows 7 platform, and you should check here first to see if a solution has
already been developed for the application that you are interested in.
FIGURE 5-4 Compatibility Administrator showing an existing fix

If no solution exists within the database, you can also create your own compatibility
fixes, compatibility modes, and compatibility databases that can help resolve application
compatibility issues. A compatibility fix, also known as a shim, is a piece of software that
intercepts application programming interface (API) calls from applications, modifying
them so that Windows 7 provides a similar response as a previous version of Windows did.
A compatibility mode is a group of compatibility fixes.
Internet Explorer Compatibility Test Tool
The Internet Explorer Compatibility test tool, shown in Figure 5-5, allows you to test existing
Web sites to determine if they have compatibility problems that adversely influence how
they will display on Internet Explorer 8, the version of Internet Explorer that ships with
Windows 7. As many organizations have business-critical Web applications on their intranet,
it is as important to resolve compatibility issues with Web applications as it is to resolve
compatibility issues with more traditional applications. To use Internet Explorer Compatibility
Test Tool, open the tool from the Developer And Tester Tools menu the Microsoft Application
Compatibility Toolkit folder on the Start menu, click Enable, and then open Internet Explorer.
A message appears informing you that compatibility evaluation logging is enabled. Visit the
Web sites and Web applications that you need to test. As you visit each site, the test tool
records potential compatibility issues.
Lesson 1: Application Compatibility CHAPTER 5 263
FIGURE 5-5 The Internet Explorer Compatibility Test Tool
Setup Analysis Tool
The Setup Analysis Tool monitors the actions taken by application installers and can detect
the following compatibility issues:
n
Installation of kernel mode drivers
n
Installation of 16-bit components
n
Installation of Graphical Identification and Authentication dynamic-link libraries (DLLs)
n

Modification of files or registry keys that are guarded by Windows Resource Protection
(WRP)
To perform an analysis, open the Setup Analysis Tool and type in the location of the setup
file that you want to analyze. The Setup Analysis Tool runs the setup command and profiles
the installation procedure to determine what issues might exist.
Standard User Analyzer
The Standard User Analyzer, shown in Figure 5-6, allows you to test applications to determine
if they might have compatibility issues caused by User Account Control. The Standard User
Analyzer provides data about problematic files and APIs, registry keys, .ini files, tokens,
privileges, namespaces, processes, and other related items that the application uses that
might cause problems when running on a computer with Windows 7 installed. To use the
Standard User Analyzer, start the tool, specify the target application, and then click Launch.
2 6 4 CHAPTER 5 Managing Applications
The application attempts to start, and the Standard User Analyzer profiles how it interacts
with the Windows 7 environment.
FIGURE 5-6 Standard User Analyzer
More Info ACT
For more information about the ACT, consult the following TechNet Magazine article:
/>Application Compatibility Diagnostics Policies
There are six application compatibility related group policies that influence how Windows 7
responds when it encounters an application compatibility problem. These policies are located
in the Computer Configuration\Administrative Templates\System\Troubleshooting and
Diagnostics\Application Compatibility Diagnostics node of a Group Policy Object (GPO). These
policies are shown in Figure 5-7.
FIGURE 5-7 Application compatibility diagnostics policies
Lesson 1: Application Compatibility CHAPTER 5 265
The policies have the following functions:
n
Notify Blocked Drivers When enabled, Windows notifies the user when a driver is
blocked due to compatibility issues.

n
Detect Application Failures Caused By Deprecated COM Objects When enabled,
Windows notifies the user if a program attempts to create a COM object that is not
supported by Windows 7.
n
Detect Application Failures Caused By Deprecated Windows DLLs When enabled,
Windows notifies the user if a program tries to load Windows DLLs that are not
supported by Windows 7.
n
Detect Application Install Failures When enabled, application installer failures are
detected and the user is presented with the option to restart the installation process
using application compatibility mode.
n
Detect Application Installers That Need To Be Run As Administrator When enabled,
application installations that fail because they need to be run as an administrator can
be restarted with the Run As Administrator option.
n
Detect Applications Unable To Launch Installers Under UAC This setting is similar to
the previous one except that instead of running as an administrator, the user receives
a User Account Control prompt to elevate privileges when the installation of an
application fails.
If you do not configure these policies, the default Windows 7 setting is to notify the user
that the failure has occurred and, in some instances, to start the Program Compatibility
Troubleshooter. In environments where users are not able to resolve application compatibility
issues by themselves, administrators often disable these notifications because there is little
reason to notify a user of the reason for the failure if the user is unable to resolve the problem
causing the failure.
Windows XP Mode for Windows 7
Windows XP Mode is a downloadable compatibility option that is available for the Professional,
Enterprise, and Ultimate editions of Windows 7. Windows XP Mode uses the latest version

of Microsoft Virtual PC to allow you to run an installation of Windows XP virtually under
Windows 7. The difference between Windows XP Mode and other operating system
virtualization solutions is that all applications that you install on the Windows XP Mode client will
be available automatically on the Windows 7 host computer. For example, if you install Microsoft
Office 2000 on the Windows XP Mode client, the shortcuts for the Office 2000 applications
become available on the Windows 7 Start menu. When you run an application, it starts in its
own separate window as any other application does. From the perspective of the user, this
means that applications appear as though they are executing directly within Windows 7.
Windows XP Mode requires a processor that supports hardware virtualization using either
the AMD-V or Intel VT options. Most processors have this option disabled by default; to
enable it, you must do so from the computer’s BIOS. After the setting has been configured,
2 6 6 CHAPTER 5 Managing Applications
it is necessary to turn the computer off completely. The setting is not enabled if you perform
a warm reboot after configuring BIOS. As 256 MB of RAM must be allocated to the Windows
XP Mode client, the computer running Windows 7 on which you deploy Windows XP Mode
requires a minimum of 2 GB of RAM, which is more than the 1 GB of RAM Windows 7
hardware requirement.
To install applications that are not compatible with Windows 7, you must start the Windows
XP Mode client from the Windows Virtual PC folder of the Start menu. After you have installed
the application, you can then start it from the Virtual Windows XP Applications folder of the
Start menu. You can also copy items from this folder to the desktop or to the Taskbar to start
them directly as you would any other program installed on a computer running Windows 7.
When you start an application installed on Virtual XP directly from the Start menu in Windows 7,
the Virtual Windows XP operating system is shut down, as shown in Figure 5-8.
FIGURE 5-8 Virtual XP shut down to run application
Windows XP Mode provides an x86 version of Windows XP Professional SP3. Windows
Virtual PC does not support x64 virtual clients, which means that you cannot use Windows XP
Mode or Virtual PC as a compatibility solution for x64 applications. Because the application is
not executing natively within Windows 7, there will be some performance overhead to using
an application through Windows XP Mode.

You should consider Windows XP Mode as a compatibility option of last resort. This is
because it requires significantly more system resources to use than the built-in or custom
compatibility modes. Another drawback to Windows XP Mode is that it requires administrators
to manage and maintain the Windows XP virtual client as they would any other client desktop
computer in their organization. This means that you need to keep the Windows XP virtual client
up to date with updates even though the people using the computer will not be accessing the
Windows XP operating system directly.
eXaM tIP
An application that functions well on a computer that has Windows XP SP3 installed, but
which does not run normally on Windows 7, might run without a problem if you configure
it to use the Windows XP SP3 compatibility mode.
Lesson 1: Application Compatibility CHAPTER 5 267
Practice Windows 7 Compatibility
In this practice, you investigate Windows 7 compatibility options for an application that you
have downloaded from the Internet.
exercise Configuring Compatibility Options for Process Explorer
In this exercise, you explore the compatibility options for an application and verify that
an application is digitally signed. Although Process Explorer functions without problems
in Windows 7, you need to obtain an application that is not included with Windows 7 to
configure compatibility options. It is not possible to configure compatibility options for an
application that is included within Windows 7, such as Calc.exe or Solitaire.exe.
1. If you are not logged on already, log on to computer Canberra using the Kim_Akers
user account. If you have not already downloaded the file ProcessExplorer.zip to the
desktop from Microsoft’s Web site, do so now.
2. Right-click ProcessExplorer.zip and then choose Extract All. This opens the Extract
Compressed (Zipped) Folders Wizard. Accept the default folder location and settings
and then click Extract.
3. Right-click the Procexp.exe application and then choose Properties. Click the Digital
Signatures, select Microsoft Corporation, and then click Details. Verify that the
application is digitally signed by Microsoft, as shown in Figure 5-9. Click OK to close

the Digital Signature Details dialog box.
FIGURE 5-9 Verify the digital signature
4. Click the Compatibility tab. Under Compatibility Mode, select the Run This Program In
Compatibility Mode For check box and use the drop-down menu to select Windows
Vista (Service Pack 2).
2 6 8 CHAPTER 5 Managing Applications
5. Select the Disable Desktop Composition check box and then select the Run This
program As An Administrator check box, as shown in Figure 5-10. Click OK.
FIGURE 5-10 Configuring application compatibility
6. Double-click procexp.exe. You should be confronted by a User Account Control dialog
box that warns you that the following program may make changes to your computer,
the program name, and the origin of the file, as shown in Figure 5-11. Click Yes.
FIGURE 5-11 User Account Control prompt for Process Explorer
Lesson 1: Application Compatibility CHAPTER 5 269
7. In the Process Explorer License Agreement dialog box, click Agree. Process Explorer
does not execute with these compatibility settings. Click Close The Program.
8. Right-click Procexp.exe and choose Properties. Click the Compatibility tab and then
clear the Run This Program In Compatibility Mode, Disable Desktop Composition, and
Run This Program As An Administrator check boxes. Click OK.
9. Double-click Procexp.exe. Click Run if prompted by the Open File–Security Warning
dialog box.
10. Verify that the application executes properly and then close the application.
Lesson Summary
n
You can run the Program Compatibility troubleshooter to diagnose common
application compatibility issues.
n
Windows 7 has several compatibility modes that allow the majority of existing software
to execute on it.
n

The ACT contains several tools that allow you to analyze potential compatibility
problems prior to deploying Windows 7 in your organization.
n
You can use the Compatibility Administrator to search for existing compatibility fixes
and compatibility modes that have already been developed for popular applications.
n
You can use the Internet Explorer Compatibility Test Tool to check existing Web sites
and applications for compatibility problems that might exist when Internet Explorer 8
is used as a browser.
n
Windows XP Mode allows you to run applications through a virtualized instance of
Windows XP that runs on Windows 7 Professional, Ultimate, or Enterprise edition.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Application Compatibility.” The questions are also available on the companion DVD if you
prefer to review them in electronic form.
note ANSWERS
Answers to these questions and explanations of why each answer choice is correct or
incorrect are located in the “Answers” section at the end of the book.
1. You are planning to migrate all the computers in your organization to Windows 7
Professional. Your organization has several applications that are installed on computers
running Windows XP Professional. You are unable to install these applications on
computers running Windows 7 due to compatibility problems. You are unable to
configure a custom compatibility mode to support these applications using the ACT.
2 7 0 CHAPTER 5 Managing Applications
Which of the following solutions could you implement to deploy these mission-critical
applications on the computers running Windows 7?
a. Install the Window XP Mode feature. Install the application under Windows XP.
B. Create a custom compatibility fix for the application using the ACT.
c. Create a shim for the application using the ACT.

D. Configure the application installer to run in Windows XP Professional SP2
compatibility mode.
2. Which of the following compatibility modes would you configure for an application
that works on computers running Microsoft Windows 2000 Professional but does not
work on computers running Windows XP?
a. Windows 98 / Windows Me
B. Windows NT 4.0 (Service Pack 5)
c. Windows XP (Service Pack 2)
D. Windows 2000
3. Which of the following file types does the Windows 7 Program Compatibility
troubleshooter application work with?
a. .cab files
B. .exe files
c. .msi files
D. .zip files
4. An application used by the administrators in your organization is not configured to
prompt for elevation when it is run. Which of the following compatibility options could
you configure for the application to ensure that users with administrative privileges are
always prompted when they execute the application?
a. Configure the application to run in Windows XP (Service Pack 3) compatibility
mode.
B. Enable the Run In 256 Colors compatibility option.
c. Enable the Run This Program As An Administrator compatibility option.
D. Enable the Disable Desktop Composition compatibility option.
5. Your organization’s internal Web site was designed several years ago, when all client
computers were running Windows XP and Microsoft Internet Explorer 6. You want to
verify that your organization’s internal Web site displays correctly when you migrate
all users to computers running Windows 7. Which of the following tools can you use to
accomplish this goal?
a. Internet Explorer Administration Kit (IEAK)

B. Application Compatibility Toolkit (ACT)
c. Windows Automated Installation Kit (Windows AIK)
D. Microsoft Deployment Toolkit (MDT)
Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 271
Lesson 2: Managing AppLocker
and Software Restriction Policies
Occasionally it might be necessary to limit the applications that users can run on a computer.
You might want to block a specific application from running, or you might want to ensure
that only applications that are on an approved list function on your organization’s network.
There are two different technologies that you can use with computers running Windows 7
to restrict the execution of applications: AppLocker and Software Restriction Policies. You
manage AppLocker and Software Restriction Policies through Group Policy. You can use these
technologies to restrict programs, installation files, scripts, and even DLL libraries. In this
lesson, you learn the differences between the two technologies and the situations in which
you would choose to deploy one technology over the other.
After this lesson, you will be able to:
n
Configure Software Restriction Policies to restrict the execution of applications.
n
Configure AppLocker policies to restrict the execution of applications, installers,
and scripts.
Estimated lesson time: 50 minutes
Software Restriction Policies
Software Restriction Policies is a technology available to clients running Windows 7 that is
available in Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.
You manage Software Restriction Policies through Group Policy. You can find Software
Restriction Policies in the Computer Configuration\Windows Settings\Security Settings\
Software Restriction Policies node of a group policy. When you use Software Restriction
Policies, you use the Unrestricted setting to allow an application to execute and the
Disallowed setting to block an application from executing.

note CONTROLLING APPLICATIONS THROUGH PERMISSIONS
Although it is possible to restrict the execution of an application on the basis of NTFS
permissions, configuring the NTFS permissions for a large number of applications on
a large number of computers requires significant administrative effort.
You can achieve many of the same application restriction objectives with Software
Restriction Policies that you can with AppLocker policies. The advantage of Software
Restriction Policies over AppLocker policies is that Software Restriction Policies can apply
to computers running Windows XP and Windows Vista, as well as to computers running
Windows 7 editions that do not support AppLocker. The disadvantage of Software Restriction
Policies is that all rules must be created manually because there are no built-in wizards to