Windows Hosts
The Sysdig Windows Host Shield is installed on a Windows host and collects data from that host. It sends the collected data to the Sysdig backend and syncs the Falco runtime policies and rules from the backend to the Windows Host Shield.
Installation Requirements
Prerequisites
- Windows Server 2019 and above.
ACCESS_KEY
: The agent access key.- Sysdig Secure Endpoint for your Sysdig SaaS region
COLLECTOR
: Use the collector address for your region. For more information, see SaaS Regions and IP Ranges.- Administrator permissions to perform the operations.
Coverage Map
Platform | Threat Detection and Response | Vulnerability Management | Posture Management |
---|---|---|---|
Windows Server 2019 | ✅ | ✅ (Host Only) | ✅ |
Windows Server 2022 | ✅ | ✅ (Host Only) | ✅ |
Install the Windows Host Shield
You can install the Windows Host Shield using an MSI, which supports both GUI and CLI operation. Download the MSI package from the Sysdig download center.
GUI Installation
You can execute the MSI using a GUI and the installation process will prompt you to accept the EULA and enable the following applications Vulnerability Management and Posture Management.

CLI Installation and Configuration
Run the MSI in silent mode via CommandLine or PowerShell:
> msiexec /i sysdig-host-shield.msi REGION=<region> ACCESS_KEY=<AGENT_ACCESS_KEY> VM_FEATURE_ENABLED=False POSTURE_FEATURE_ENABLED=False ACCEPT_TERMS_CONDITIONS=True /qn
Using Certificate Storage
Windows stores certificates locally in a storage location called the certificate store. This store may contain multiple certificates issued by different Certification Authorities (CAs).
To configure Sysdig Host Shield for certificate storage, set the following environment variables:
COLLECTOR_CERT=Certstore
: Enables certificate storage usageCOLLECTOR_CERTSTORE_NAME=<store_name>
: Specifies the certificate store to use. Choose from:MY
: Personal storeROOT
: Trusted Root Certification AuthoritiesCA
: Intermediate Certification AuthoritiesSPC
: Software Publisher Certificates
COLLECTOR_CERT_SUBJECT=<certificate_subject>
: Specifies the Common Name (CN) of the certificate. This can be a full or partial string match.
Example Configuration:
COLLECTOR_CERT=Certstore
COLLECTOR_CERTSTORE_NAME=MY
COLLECTOR_CERT_SUBJECT=SysdigAgentCert
Using Custom Collector
If you’re not using one of the following SaaS Regions, you must provide REGION=custom
and the following variables:
COLLECTOR_URL
: Specifies the custom collector host (for example,your.custom.host.com
)COLLECTOR_PORT
: Specifies the custom collector port (for example,6443
)API_URL
: Specifies the custom api url (for example,https://your.custom.host.com
)
By setting ACCEPT_TERMS_CONDITIONS
to True, you acknowledge and expressly agree that your use of or access to the Sysdig software is governed by the applicable terms and conditions located at Sysdig Legal Terms unless otherwise stated in a Sysdig Order Form or other written mutual agreement between Customer and Sysdig.
Antivirus and EDR Exceptions
Sysdig Windows Host Shield may conflict when coexisting with Antivirus software or Endpoint Detection and Response (EDR) sensors. To prevent termination of the Sysdig Windows Host Shield processes, it is recommended to set up exclusions for the Host Shield root installation directory.
Carbon Black Cloud
- From the Carbon Black Cloud Console go to Enforce > Policies.
- Select the desired Policy and click on the Prevention tab.
- Add a new
Permission
by clicking on the+
sign. - Add a new application path in the
Permissions
section and provide the directory exclusion*:\Program Files\Sysdig\Shield\**
. - Check
Bypass
option box forPerforms Any Operation
. - Click Confirm.
Windows Defender
- Open Windows Security > Virus & threat protection.
- Under Virus and threat protection settings, select Manage Settings.
- Under Exclusions select Add or remove exclusions.
- Click on the Add an exclusion button and choose Folder.
- Browse the drive where the Sysdig Windows Host Shield was installed, and select the
Program Files\Sysdig\Shield
directory.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.