There are a number of things to consider when scanning Windows container images. First, Twistlock Console only runs on Linux hosts. Twistlock Defender, which does the actual scanning work, comes in a number of flavors. On Windows, Twistlock supports Container Defender and Host Defender.

To scan Windows images:

  • The Windows Intelligence Stream must be enabled. You can find the setting under Manage > System > Intelligence. By default, the Windows Intelligence Stream is disabled.

  • The container OS version must match the host OS version where Defender runs. For example, Defender on Windows Server 1803 can scan nanoserver:1803, but it can’t scan nanoserver:1809. Conversely, Defender on Windows Server 1809 can scan nanoserver:1809, but it can’t scan nanoserver:1803.

  • Twistlock requires a privileged user inside the container to scan it. In more recent versions of Windows (Windows Server, version 1803 or higher, build 17134 or higher), Twistlock uses the ContainerAdministrator account. This account has complete access to the whole file system and all of the resources in the container. In older versions of Windows, specifically Windows Server 2016 (version 1607, build 14393), ContainerAdministrator does not exist, so Twistlock uses the default user.