Edit

Share via

Evaluate compliance for Windows Subsystem for Linux

  • Article

Applies to:

  • Windows 10
  • Windows 11

Create a Microsoft Intune policy that checks the compliance of devices running Windows Subsystem for Linux (WSL). Microsoft Intune incorporates the WSL compliance results into the overall compliance state of the host device so that you can see the whole health of the device.

This article describes how to set up compliance checks for WSL.

Important

This feature is in public preview. For more information, see Public preview in Microsoft Intune.

Requirements

These resources are required to create your custom compliance script:

  • Intune WSL plug-in: Use the example Powershell script to get the installation package file for the Intune WSL plug-in.

  • Custom compliance script: The example PowerShell script calculates compliance against WSL distros based on Distro and Distro Version.

  • JSON for validation: Use the example JSON to define WSL detection rules.

Step 1: Install Intune WSL plug-in

Use the Intune WSL plug-in resource to install the Intune WSL plug-in on the target machine.

Step 2: Add policy for line-of-business app

Create an app policy for the Intune WSL plug-in. The Intune WSL plug-in is considered a Windows line-of-business app.

  1. In the Microsoft Intune admin center, go to Apps > Windows.

  2. Enter app information:

    • Select file: Select this option to upload the installation package file for the Intune WSL plug-in.
    • Name: Enter Intune WSL Plugin.
    • Description: Enter a description for the app. This setting is optional but recommended.
    • Publisher: Enter Microsoft Intune.

  3. Select Next to go to Assignments.

  4. Add Microsoft Entra users under Required to assign the policy.

  5. Select Next to go to Review + create.

  6. Review the summary and then select Create to save the policy.

Step 3: Set up custom script

In a command line, complete the following steps:

  1. Modify the following properties in lines 23-28 of the custom compliance script to match your organization's requirements:

    • Distros

    • Minimum/maximum version

    • Number of days since last check-in a device can remain compliant

  2. In the JSON for validation resource, modify the following fields with your organization's custom values:

    • MoreInfoUrl - Enter the URL where device users can go to learn more about how to meet compliance requirements.

    • RemediationStrings: Enter helpful information for the device user about the compliance requirement for WSL.

      • Language - Example: en-us
      • Title - Example: WSL distros not in compliance with company policy
      • Description - Example: Make sure only allowed distros and versions are registered in WSL.

Step 4: Deploy custom compliance policy

Deploy the custom compliance policy to targeted devices.

  1. In the admin center, go to Endpoint security > Device compliance.

  2. Go to Scripts.

  3. Select Add > Windows 10 and later.

  4. Enter the basic information for your policy, including name and description.

  5. Select Next to go to Settings.

  6. Copy and paste your custom compliance script into Detection Script.

  7. Leave all other settings as is.

Step 5: Create device compliance policy

Create a new device compliance policy for devices running Windows 10 and later.

  1. In the admin center, go to Endpoint security > Device compliance.

  2. Go to Policies.

  3. Select Create policy.

  4. For platform, choose Windows 10 and later.

  5. Select Create.

  6. Enter the basic information for your policy, including Name and Description.

  7. Select Next to go to Compliance settings.

  8. Expand Custom Compliance:

    1. Select the custom compliance script file as the discovery script.

    2. Upload your JSON validation file.

  9. Leave all other settings as is. Select Next.

  10. Review the summary of your policy, and then select Create to save it.

Remediation

A quick way to get a device back to a compliant state is to unregister the noncompliant distro on the device. Use the following command to unregister a distro:


wsl --unregister [DISTRONAME]

Troubleshooting

Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_MOD_NOT_FOUND

Restart the WSL service. In an elevated PowerShell window, run the following commands:

 sc.exe stop wslservice 

 wsl.exe echo “test”

For WSL troubleshooting help, see Windows Subsystem for Linux.