Endpoint Protection interfering with Docker containers on Windows Server 2016


Article ID: 169698


Updated On:


Endpoint Protection


Cannot create or launch Docker containers on Windows Server 2016 when Symantec Endpoint Protection (SEP) is installed.


This is caused by the Application Control component of SEP.


Windows Server 2016


To work around this issue, you will need to upgrade to SEP 14 RU1, or newer, and add the following paths as Windows File Exceptions to the Exceptions Policy at the SEPM.

Prefix Variable File and Path (Exclude child processes)
%[SYSTEM]% lsass.exe
%[SYSTEM]% svchost.exe
%[SYSTEM]% cexecsvc.exe
%[SYSTEM]% oobe\windeploy.exe

Ensure that you Choose "Application Control" (for the type of scan that excludes the file) and select also "Exclude child processes". The new Exceptions Policy should then be deployed to the affected clients.

Note: if you were experiencing a Docker installation failure before putting these exceptions into place, you may need to uninstall the failed package before retrying.

For situations where you will be adding Windows Features to a live container, or installing a service, additional exceptions may be needed. The following example shows the exceptions to both run an MSI install and run the DNS service (Not all of these are necessary for all situations):

Prefix Variable File and Path (Exclude child processes)
%[WINDOWS]% servicing\trustedinstaller.exe
%[SYSTEM]% msiexec.exe
%[SYSTEM]% dns.exe