Working with device compliance for Windows Subsystem for Linux

This week is all about the device compliance capabilities for Windows Subsystem for Linux (WSL). WSL is a feature of Windows that allows the user to run a Linux environment on their Windows device, without needing a separate VM or a dual boot. It’s designed to provide a seamless experience for users that want to use Windows and Linux at the same time. By default, Ubuntu is used as the Linux distribution. There are, however, more options such as Debian, Kali, and SUSE. For the IT administrator it’s good to have the ability to be able to check the Linux distribution and version that is used. That can be achieved by using device compliance policies, as there is now a section specifically focused on adding checks related to WSL and to make that part of the overall compliance state of the device. This post will focus on the prerequisite for performing that compliance check and the actual steps to add the checks to the device compliance policy. This post will focus with the experience.

Deploying the Intune WSL plugin for Windows

When using device compliance settings for WSL, it all starts with installing the Intune WSL plugin. The good thing is that when doing that by using a Win32 app, it also addresses the other requirement that the Intune Management Extension must be installed. Deploying a Win32 app will automatically take care of that. So, basically the only real prerequisite is deploying the Intune WSL plugin. That starts by downloading the source file here. After that, simply use the Microsoft Win32 Content Prep Tool to wrap the installation file (IntuneWSLPluginInstaller.msi.exe) in an .intunewin file. Those steps are pretty straight forward when starting the content prepping tool. Once the wrapping was successful, the app can be added to Microsoft Intune. 

When all the information is available, the following twelve steps can be used to walk through the process of adding the app to Microsoft Intune. The focus in those steps is on the Intune WSL plugin installation specifics.

1. Open the Microsoft Intune admin center portal and navigate to Apps > Windows > Windows apps
2. On the Windows | Windows apps page, click Add > Windows app (Win32) and click Select
3. On the App information page, select the just created .intunewin file and click Next
4. On the expanded App information page, specify at least a Name, Description and Publisher and click Next
5. On the Program page, as shown below in Figure 1, specify at least the following information and click Next

• Install command (1): Specify msiexec /i “IntuneWSLPluginInstaller.msi” /qn as the installation command
• Uninstall command (2): Specify msiexec /x “{DFAEA0AE-7022-4982-8581-8A95A20A6C86}” /qn as the uninstall command

6. On the Requirements page, specify at least an Operating system architecture and Minimum operating system and click Next
7. On the Detection rules page, as shown below in Figure 2, select Manually configure detection rules, specify the following rule and click Next

• Rule type (1): Select MSI as the rule type
• MSI product code (2): Specify {DFAEA0AE-7022-4982-8581-8A95A20A6C86} as the product code to detect the installation
• MSI product version check: Select No to not specifically check the version

8. On the Dependencies page, (optionally) configure any dependencies for the app and click Next
9. On the Supersedence page, (optionally) configure any supersedence relations to older versions and click Next
10. On the Scope tages page, (optionally) configure any required scope tags and click Next
11. On the Assignments page, configure the assignment to deploy the Intune WSL plugin and click Next
12. On the Review + create page, verify the provided configuration and click Create

Note: The information in these steps is based on the Intune WSL plugin, version 1.0.0.0.

Creating the device compliance policy settings for WSL

After the Intune WSL plugin is installed, it’s time to look at the actual device compliance policy. That device compliance policy now contains a new section specifically for WSL. It contains settings related to Linux distributions installed on managed Windows devices that can affect the compliance state of the device. At this moment that includes the ability to verify the Linux distribution and version that is used. The following nine steps walk through the configuration of a device compliance policy that will only be used for verifying the Linux distribution used in WSL.

1. Open the Microsoft Intune admin center portal navigate to Devices > Compliance
2. On the Devices | Compliance blade, click Create Policy
3. On the Create a policy page, provide the following information and click Create

• Platform: Select Windows 10 and later as value for the platform
• Profile type: Based on the selected platform automatically configured to Windows 10/11 compliance policy

4. On the Basics page, specify a valid unique name for the device compliance policy and click Next
5. On the Compliance settings page, as shown below in Figure 3, configure at least the following setting in the Windows Subsystem for Linux (WSL) category and click Next

• Distribution name (1): Specify the Linux distribution that is allowed for WSL
• Minimum OS version (2): (Optional) Specify the minimum version of the Linux distribution for WSL
• Maximum OS version (3): (Optional) Specify the maximum version of the Linux distribution for WSL

6. On the Actions for noncompliance page, leave the default configuration of Action on Mark device noncompliant with Schedule (days after noncompliance) on Immediately and click Next
7. On the Scope tags page, configure the applicable scope tags and click Next
8. On the Assignments page, configure the applicable assignment and click Next
9. On the Review + create page, review the configuration and click Create

Note: The creation of the device compliance policy with WSL settings automatically generates a read-only custom PowerShell script. That script can be found in the Microsoft Intune admin center by navigating to Devices > Compliance > Scripts. In that location should be a new script that is named Built-in WSL Compliance-<PolicyID>. That script contains the configured settings of the device compliance policy. Besides that, it’s also the reason why the Intune Management Extension is required for checking the compliance. Editing the device compliance policy will also edit the custom PowerShell script.

Experiencing the device compliance configuration for WSL

After the device compliance policy is in place, it’s time to verify the configuration. There a many different methods to achieve this. That can be either local on the device, as remotely via the Microsoft Intune admin center portal. In this case, the most interesting and most speaking information is available remotely via the reports and status messages in Microsoft Intune. The most direct information is available in the Device compliance section of the device, by navigating to the specific device compliance policy. That should now contain the WSLInstancesComplianceStatus as shown below in Figure 4.

More information

For more information about the WSL and device compliance, refer to the following docs.

• What is Windows Subsystem for Linux | Microsoft Learn
• Compliance for Windows Subsystem for Linux | Microsoft Learn
• Windows compliance settings in Microsoft Intune | Microsoft Learn