Managing recommended security settings for Windows Subsystem for Linux

This week is all about Windows Subsystem for Linux (WSL) and managing the recommended settings. WSL is a feature of Windows that allows users to run a Linux environment directly on their Windows machine. All without the need of running a separate VM. It’s designed to provide a seamless and productive experience for users who want to use both Windows and Linux at the same time. Of course, it’s important to address that level of productivity with the right level of security. Luckily, Microsoft also provides a guidance around enabling the secure use of Linux with WSL in an enterprise environment. All focused on using Microsoft Intune and Microsoft Defender. This post will have a brief look at the recommended security settings for WSL, followed with the steps for configuring those settings. This post will end with experiencing that configuration. As a bonus this post contains a download to the recommended security settings for WSL in Microsoft Intune.

Note: The focus of this post is on the recommended settings for WSL that are configured via Microsoft Intune.

Looking at the recommended security settings for WSL

When looking at managing the recommended security settings for WSL, it all starts with the documentation provided by Microsoft. Within those docs Microsoft created a list of recommended security settings for when using WSL within the organization. An overview of those recommended settings is shown in the table below.

SettingValueDescription
Allow the Inbox version of the Windows Subsystem for LinuxDisabledThis policy disables the inbox version (optional component) of WSL. Only the store version of WSL can be used.
Allow WSL1DisabledThis policy disables WSL1. Only WSL2 distributions can be used.
Allow the debug shellDisabledThis policy disables the debug shell (wsl.exe –debug-shell). This policy only applies to Store WSL.
Allow custom kernel configurationDisabledThis policy disables custom kernel configuration via .wslconfig (wsl2.kernel). This policy only applies to Store WSL.
Allow kernel command line configurationDisabledThis policy disables kernel command line configuration via .wslconfig (wsl2.kernelCommandLine). This policy only applies to Store WSL.
Allow custom system distribution configurationDisabledThis policy disables custom system distribution configuration via .wslconfig (wsl2.systemDistro). This policy only applies to Store WSL.
Allow custom networking configurationDisabledThis policy disables custom networking configuration via .wslconfig (wsl2.networkingmode). This policy only applies to Store WSL.
Allow user setting firewall configurationDisabledThis policy disables firewall configuration via .wslconfig (wsl2.firewall). This policy only applies to Store WSL.
Allow nested virtualizationDisabledThis policy disables nested virtualization configuration via .wslconfig (wsl2.nestedVirtualization). This policy only applies to Store WSL.
Allow kernel debuggingDisabledThis policy disables kernel debugging configuration via .wslconfig (wsl2.kernelDebugPort). This policy only applies to Store WSL.

Note: Keep in mind that the recommended security settings for WSL are focussed on using the Store WSL.

Configuring the recommended security settings for WSL

After being familiar with the recommended security settings for WSL, it’s time to look at the configuration of those settings. Luckily, all the recommended security settings are available within the Settings Catalog. That makes the configuration pretty straight forward. The following eight steps walk through the configuration of applying the those recommended security setting.

  1. Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
  2. On the Windows | Configuration profiles blade, click Create > New Policy
  3. On the Create a profile blade, select Windows 10 and later > Settings catalog and click Create
  4. On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
  5. On the Configuration settings page, as shown below in Figure 1, perform the following actions and click Next
  • Click Add settings, navigate to Windows Subsystem For Linux and select the following settings in Settings picker
    • Allow the Inbox version of the Windows Subsystem for Linux, Allow WSL1, Allow the debug shell, Allow custom kernel configuration, Allow kernel command line configuration, Allow custom system distribution configuration, Allow custom networking configuration, Allow user setting firewall configuration, Allow nested virtualization, and Allow kernel debugging
  • Switch the slider to the left for all selected settings to disable the setting conform the recommended security settings
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, configure the assignment for the required user or devices and click Next
  3. On the Review + create page, verify the configuration and click Create

Download: To make it easier for everybody, here is a download to the exported configuration in JSON format.

Experiencing the recommended security settings for WSL

After applying the recommended security settings for WSL, it’s time to verify the configuration. That can be achieved by looking at the configuration status in Microsoft Intune, or by looking at the applied configuration locally on the device. Even better, by simply experiencing the configuration. That could be easily achieved by looking at the version of WSL, or by trying commands that are now blocked. For example, try using wsl.exe --debug-shell as shown below in Figure 2. That should notify the user that the debug shell is disabled by the computer policy. Besides that, the same figure also shows the installed version of Windows Subsystem for Linux. By default, Ubuntu will be installed as the Linux distribution, as shown in the header figure. That Linux distribution can be adjusted during the installation, if needed.

Note: Keep in mind that running WSL on a (Hyper-V) VM requires nested virtualization to be enabled.

More information

For more information regarding WSL, and and the recommended settings, refer to the following docs.

2 thoughts on “Managing recommended security settings for Windows Subsystem for Linux”

  1. Hi Peter, I have created that policy a month ago but when I run “wsl –debug-shell” in a cmd I do not get the message that wsl has been disabled. Policy has been applied to my device, no errors, no conflicts. Any idea?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.