Enterprise environment: Set up Windows Subsystem for Linux for your company
Article
This guidance is intended for IT Administrators or Security Analysts responsible for setting up enterprise work environments with the goal of distributing software across multiple machines and maintaining a consistent level of security settings across those work machines.
Many companies use Microsoft Intune and Microsoft Defender to manage these security settings. However, setting up WSL and accessing Linux distributions in this context requires some specific setup. This guidance provides what you need to know to enable the secure use of Linux with WSL in an enterprise environment.
Recommended Enterprise set up with Microsoft Defender for Endpoint, Intune, and Advanced Networking Controls
There are a variety of ways to set up a secure enterprise environment, but we recommend the following for setting up a secure environment that utilizes WSL.
Pre-requisites
To get started ensure that all enterprise devices have the following minimum versions installed:
Windows 10 22H2 or higher, or Windows 11 22H2 or higher
Advanced networking features are only available on Windows 11 22H2 or higher.
You can check the WSL version by running wsl --version.
Enable Microsoft Defender for Endpoint (MDE) integration
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. MDE now integrates with WSL as a WSL plugin, which allows security teams to see and continuously monitor for security events in all running WSL distributions with Defender for Endpoint while minimally impacting performance on developer workloads.
Microsoft Intune is a cloud-based endpoint management solution. It manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. You can use Microsoft Intune to manage devices inside of your organization, which now also includes managing access to WSL and its key security settings.
See Intune settings for WSL for guidance on using InTune to manage WSL as a Windows component and the recommended settings.
Use advanced networking features and controls
Starting from Windows 11 22H2 and WSL 2.0.9 or later, Windows firewall rules will automatically apply to WSL. This ensures that the firewall rules set on the Windows host will automatically apply to all WSL distributions by default. For guidance on customizing the firewall settings for WSL, visit Configure Hyper-V firewall.
networkingMode=mirrored enables mirrored mode networking. This new networking mode improves compatibility with complex networking environments, especially VPNs and more, as well as adding support for new networking features unavailable in the default NAT mode like IPv6.
DNS Tunneling
dnsTunneling=true changes how WSL obtains DNS information. This setting improves compatibility in different networking environments, and makes use of virtualization features to obtain DNS information rather than a networking packet. It's recommended to turn this on if experiencing any connectivity issues, and can be especially helpful when using VPNs, advanced firewall settings, and more.
Auto proxy
autoProxy=true enforces WSL to use Windows' HTTP proxy information. We recommend turning this setting on when using a proxy on Windows, as it will make that proxy automatically apply to your WSL distributions.
Creating a custom WSL image
What is commonly referred to as an "image", is simply a snapshot of your software and its components saved to a file. In the case of the Windows Subsystem for Linux, your image would consist of the subsystem, its distributions, and whatever software and packages are installed on the distribution.
Distribute the WSL image from a share or storage device by running wsl --import <Distro> <InstallLocation> <FileName>, which will import the specified tar file as a new distribution.
Update and patch Linux distributions and packages
Using Linux configuration manager tools is strongly recommended for monitoring and managing Linux user space. There are a host of Linux configuration managers to choose from. See this blog post on Running Puppet quickly in WSL 2.
Windows file system access
When a Linux binary inside of WSL accesses a Windows file, it does so with the user permissions of the Windows user that ran wsl.exe. So even though a Linux user has root access inside of WSL, they cannot do Windows administrator level operations on Windows if the Windows user does not have those permission. With regards to Windows file and Windows executable access from WSL, running a shell like bash has the same security level permissions as running powershell from Windows as that user.
Supported
Sharing an approved image internally using wsl --import and wsl --export
Monitor security events inside of WSL distros using Microsoft Defender for Endpoint (MDE)
Use firewall settings to control networking in WSL (Includes syncing Windows firewall settings to WSL)
Control access to WSL and its key security settings with Intune or group policy
Here's a list of features for which we don't yet have support for, but are investigating.
Currently unsupported
Below is a list of commonly asked features that are currently unsupported within WSL. These requests are on our backlog and we are investigating ways to add them.
Managing updates and patching of the Linux distributions and packages using Windows tools
Having Windows update also update WSL distro contents
Controlling which distributions users in your Enterprise can access
Controlling root access for users
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
Windows Subsystem for Linux feedback
Windows Subsystem for Linux is an open source project. Select a link to provide feedback:
In this module, you learn how to use the Windows Subsystem for Linux (WSL) with Visual Studio Code (VS Code). We explore the installation process and the basics of using WSL. Additionally, we install and utilize the Visual Studio Code WSL extension. Finally, we demonstrate how to debug and run Python code in VS Code within our WSL environment.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.