(How) Can I run Windows Defender in a docker container? Getting errors

Question

I'm experimenting with some options for an endpoint pen-testing lab for a Windows environment, and Docker seems like a pretty light-weight and easily configurable option. However, upon testing Windows Defender within this setup I'm faced with errors and every help thread answer I've found on it has just resulted in more errors. Is running Windows Defender in a docker container not doable?

What I've tried:

Ran a docker Windows container:

PS C:\WINDOWS\system32> docker run mcr.microsoft.com/windows:20H2
Unable to find image 'mcr.microsoft.com/windows:20H2' locally
20H2: Pulling from windows
f26dc4584b4d: Pull complete
881882374a3c: Pull complete
Digest: sha256:bfcfdafc3db9b35528635acfdbc07169ed0a6b8af88feb7b6e1da62cd4f3b748
Status: Downloaded newer image for mcr.microsoft.com/windows:20H2
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.

C:\>

Then within that container CLI, ran:

PS C:\> (Get-Service windefend).Status
Stopped

PS C:\> Start-Service windefend
Start-Service : Service 'Microsoft Defender Antivirus Service (windefend)'
on computer '.'.
At line:1 char:1
+ Start-Service windefend
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceControl
   ler:ServiceController) [Start-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Comman
   ds.StartServiceCommand

PS C:\> Get-MpComputerStatus
Get-MpComputerStatus : A general error occurred that is not covered by a more
specific error code.
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_MpComputerStatus:ROOT\Micros
   oft\...pComputerStatus) [Get-MpComputerStatus], CimException
    + FullyQualifiedErrorId : HRESULT 0x800106ba,Get-MpComputerStatus

These error messages, to my eyes, aren't helpful. I have no idea what CategoryInfo : NotSpecified: (MSFT_MpComputerStatus:ROOT\Microsoft\...pComputerStatus) [Get-MpComputerStatus], CimException means, nor FullyQualifiedErrorId : HRESULT 0x800106ba,Get-MpComputerStatus, and it doesn't seem to allude to any reason why it can't start the service. Hence, I'm wondering if it's just not possible.

That looks like some sort of permission error, are you running this as administrator? — Coolcreeper, Dec 05 '21 at 23:17
I created this same container and am unable to start or modify this service with any type of elevation or user of `sc` command. I'm going to try 1809. — another victim of the mouse, Jan 04 '22 at 06:03

score 3 · Accepted Answer · answered Jan 04 '22 at 06:56

What a nightmare! but I got it working for both 1809 and 20h2.

PS C:\> Start-Service windefend
Start-Service : Service 'Microsoft Defender Antivirus Service (windefend)' cannot be started due to the following
error: Cannot start service windefend on computer '.'.
At line:1 char:1
+ Start-Service windefend
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
   ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

PS C:\>

The service is set to system startup so you need to put into manual startup first:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend\" -Name "Start" -Value 3

Then remove the launchprotected key from the registry:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend\" -Name "LaunchProtected" -Value 0

And then WinDefend will startup after rebooting the container.

PS C:\> Start-Service windefend
PS C:\> Get-Service windefend

Status   Name               DisplayName
------   ----               -----------
Running  windefend          Microsoft Defender Antivirus Service

How timely! I'm looking into doing this as well, using an 1809 (mcr.microsoft.com/windows:1809-amd64) based container deployed to a Windows Node in AKS - but I'm running into this after following your guidance and running `Start-Service WinDefend`: `WARNING: Waiting for service 'Windows Defender Antivirus Service (WinDefend)' to start...` The same warning just keeps repeating from here - did you run into anything like this? — bhargav, Jan 11 '22 at 05:08
@bhargav i didn't. i was able to get it working successfully on two fresh installs. did you make any changes to you container beside what i did? is there anything in the event viewer showing an error? — another victim of the mouse, Jan 13 '22 at 04:15

(How) Can I run Windows Defender in a docker container? Getting errors

1 Answers1