Evaluate compliance for Windows Subsystem for Linux
Applies to:
- Windows 10
- Windows 11
Create a Microsoft Intune policy that checks the compliance of devices running Windows Subsystem for Linux (WSL). Microsoft Intune incorporates the WSL compliance results into the overall compliance state of the host device so that you can see the whole health of the device.
This article describes how to set up compliance checks for WSL.
Important
This feature is in public preview. For more information, see Public preview in Microsoft Intune.
Requirements
These resources are required to create your custom compliance script:
Intune WSL plugin: Use the example PowerShell script to get the installation package file for the Intune WSL plugin.
Custom compliance script: The example PowerShell script calculates compliance against WSL distros based on Distro and Distro Version.
JSON for validation: Use the example JSON to define WSL detection rules.
Step 1: Install Intune WSL plugin
Use the Intune WSL plugin resource to install the Intune WSL plugin on the target machine.
Step 2: Add policy for line-of-business app
Create an app policy for the Intune WSL plugin. The Intune WSL plugin is considered a Windows line-of-business app.
In the Microsoft Intune admin center, go to Apps > Windows.
Enter app information:
- Select file: Select this option to upload the installation package file for the Intune WSL plugin.
- Name: Enter Intune WSL Plugin.
- Description: Enter a description for the app. This setting is optional but recommended.
- Publisher: Enter Microsoft Intune.
Select Next to go to Assignments.
Add Microsoft Entra users under Required to assign the policy.
Select Next to go to Review + create.
Review the summary and then select Create to save the policy.
Step 3: Set up custom script
In a command line, complete the following steps:
Modify the following properties in lines 23-28 of the custom compliance script to match your organization's requirements:
Distros
Minimum/maximum version
Number of days since last check-in a device can remain compliant
In the JSON for validation resource, modify the following fields with your organization's custom values:
MoreInfoUrl - Enter the URL where device users can go to learn more about how to meet compliance requirements.
RemediationStrings: Enter helpful information for the device user about the compliance requirement for WSL.
- Language - Example:
en-us
- Title - Example:
WSL distros not in compliance with company policy
- Description - Example:
Make sure only allowed distros and versions are registered in WSL.
- Language - Example:
Step 4: Deploy custom compliance policy
Deploy the custom compliance policy to targeted devices.
In the admin center, go to Endpoint security > Device compliance.
Go to Scripts.
Select Add > Windows 10 and later.
Enter the basic information for your policy, including name and description.
Select Next to go to Settings.
Copy and paste your custom compliance script into Detection Script.
Leave all other settings as is.
Step 5: Create device compliance policy
Create a new device compliance policy for devices running Windows 10 and later.
In the admin center, go to Endpoint security > Device compliance.
Go to Policies.
Select Create policy.
For platform, choose Windows 10 and later.
Select Create.
Enter the basic information for your policy, including Name and Description.
Select Next to go to Compliance settings.
Expand Custom Compliance:
Select the custom compliance script file as the discovery script.
Upload your JSON validation file.
Leave all other settings as is. Select Next.
Review the summary of your policy, and then select Create to save it.
Remediation
A quick way to get a device back to a compliant state is to unregister the noncompliant distro on the device. Use the following command to unregister a distro:
wsl --unregister [DISTRONAME]
Troubleshooting
Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_MOD_NOT_FOUND
Restart the WSL service. In an elevated PowerShell window, run the following commands:
sc.exe stop wslservice
wsl.exe echo “test”
For WSL troubleshooting help, see Windows Subsystem for Linux.