A couple of month ago, Microsoft and Docker enabled process isolation for Docker containers on Windows 10. That matters a lot because the alternative is hyper-v isolation which means that you actually run a “mini VM” every time you run a container. Depending on the circumstances, that can be a very desirable feature but when you are running containers on your local machine for development, it probably it isn’t as it forces you to allocate memory in advance and just adds some overhead that you don’t need in that case. Therefore I was very happy when I saw this and even tried it with non-released builds but it failed. The containers froze on startup and I didn’t find a way forward, even with the help of John Howard, one of the persons working on Docker containers from the Microsoft side.
Then I found out that it was related to Symantec Endpoint Protection, a tool which usage is mandatory (for very good reasons, of course) in my company. Uninstalling it allowed the containers to run, but that wasn’t a viable solution. Fortunately one of the Security Administratory in my company, Laurent Dalciet, dug deeper and came up with a solution which now allows me to run containers in process isolation! As I found a couple of other people with similar problems, but no solution, I wanted to share this, so I asked him what he did and he was kind enough to create the following step by step instructions. Thanks a lot!
thanks for sharing this fix Tobias.
Would you be able to explain exactly what vulnerability is exposed by this exclusion?
I unfortunately have to admit that I don’t know. SEP is handled by a specialized team in our company and if they figure that this is an acceptable workaround, I just trust them
No problem, thanks for your reply