PRACTITIONER GUIDE | ENDPOINT SECURITY
Practitioner GuideUpdated 9 min read

Windows Subsystem for Linux (WSL) Security: How to Manage and Harden WSL in Enterprise Environments

Kali Linux
Available as a WSL distribution -- includes full offensive security toolkit by default
GPO
Primary enterprise control -- disallow WSL via Allow Windows Subsystem for Linux policy
ELF binaries
Linux executables run in WSL -- not scanned by many Windows AV products without explicit configuration

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

WSL is a productive tool for developers who need Linux tooling on Windows workstations. It is also a potential security gap: standard Windows security controls (application allowlisting, Windows event logging, many EDR agents) were designed for Windows PE executables and may not fully cover Linux ELF binaries running in the WSL subsystem. Attackers who obtain code execution on a Windows endpoint can potentially use WSL to run Linux-based attack tooling that bypasses Windows-side security controls. The right enterprise approach is a deliberate policy: allow WSL for developer roles with monitoring configured, or block WSL for all other roles. The default -- WSL enabled by default on Windows 10/11 with no enterprise policy -- is the worst outcome.

Assess WSL Usage in Your Environment

Before deploying controls, determine how many devices have WSL installed and which users are using it. PowerShell to enumerate WSL installations across managed endpoints via Intune or SCCM: Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux will return Enabled or Disabled for each device. Via Intune device compliance: create a device health script that checks the feature state and reports it as a custom attribute. From event logs: WSL activity can sometimes be detected by searching for the wsl.exe and wslhost.exe processes in Sysmon process creation events (Event ID 1). Search your SIEM: index=sysmon EventID=1 Image="\wsl.exe" OR Image="\wslhost.exe" OR CommandLine="wsl" | stats count by Computer, User. The result tells you whether WSL is already in active use before you enforce any restrictions.

Block WSL for Non-Developer Roles via GPO

For endpoints where WSL is not a business requirement, disable it via Group Policy. The WSL-specific GPO setting is in Computer Configuration > Administrative Templates > Windows Components > Windows Subsystem for Linux > Allow Windows Subsystem for Linux. Set to Disabled to block all WSL functionality. Additionally, block WSL installation via Microsoft Store controls and the Optional Features panel: the Microsoft-Windows-Subsystem-Linux Windows feature can be blocked via GPO at Computer Configuration > Administrative Templates > System > 'Specify settings for optional component installation and component repair'. For developer endpoints where WSL is required: allow it but configure monitoring (see the monitoring section). Separate developer workstations into a dedicated Intune or GPO group so WSL controls can be applied differentially. Standard business user laptops should have WSL blocked; developer workstations should have WSL allowed with enhanced monitoring.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Configure Defender AV to Scan the WSL Filesystem

Windows Defender does not scan the WSL 2 Linux filesystem by default. The Linux ext4 filesystem image (the .vhd file) is not mounted as a Windows volume that Defender routinely scans. To enable Defender scanning of WSL paths: in the Windows Security Center or via Intune, ensure that 'Scan mapped drives' and 'Scan removable drives' are enabled. More importantly, configure a manual scan target for the WSL filesystem directory: Add-MpPreference -ScanScheduledScanOnlyIfIdle $false and configure a scheduled scan of %USERPROFILE%\AppData\Local\Packages\CanonicalGroupLimited* which is where WSL distribution filesystems are stored. Defender for Endpoint (MDE) version 101.24062 and later includes native WSL monitoring support via the MDE Linux agent deployed within the WSL distribution itself -- for environments with MDE, configure the MDE Linux sensor inside WSL distributions on monitored endpoints.

Enable WSL Process Auditing via Sysmon

Standard Windows Sysmon configuration captures WSL process creation if the Sysmon process monitoring rules include ELF binary paths within the WSL virtual filesystem (/usr/bin, /usr/local/bin, etc.). However, Sysmon captures these as Windows events about the wslhost.exe process, not as individual Linux process events. For comprehensive Linux process visibility within WSL: deploy the MDE Linux sensor or the Sysmon for Linux binary within the WSL distribution itself. The MDE Linux agent within WSL generates standard MDE telemetry for Linux processes, network connections, and file operations. Alternatively, configure Linux audit daemon (auditd) within the WSL distribution: within the WSL shell, install auditd and configure rules, then forward the audit log to your SIEM via syslog forwarding configured within the WSL Linux environment. The WSL syslog can be forwarded to a Windows syslog forwarder by writing to the Windows host's event log via /proc/sys/kernel hooks or by using a WSL-aware log forwarding agent.

Network Access Controls for WSL

WSL 2 uses a virtual network interface (vEthernet WSL) with a private IP address space. By default, WSL distributions have outbound internet access through the host's network. This means a user with WSL installed can run network tools (nmap, Impacket, Responder) from within the WSL environment, and the traffic originates from the Windows host's IP address. Windows Firewall rules do not automatically apply to the WSL virtual network interface in the same way as the host network interface. Hardening: configure the host Windows Firewall to block or restrict traffic on the WSL vEthernet interface (vEthernet WSL) -- specifically block inbound connections to WSL from the internal network and restrict WSL outbound to only the services the WSL distribution needs. In network monitoring, add detection for unusual port scanning or network enumeration traffic originating from IP addresses of developer workstations during non-development hours. WSL should be treated like a privileged toolset: appropriate for specific roles with monitoring, not a default unmonitored capability.

The bottom line

WSL requires an explicit enterprise policy decision. The default (enabled with no monitoring) is the worst security posture. Block WSL via GPO for all standard business user roles. For developer endpoints where WSL is needed, configure Defender AV to scan the WSL filesystem, deploy MDE Linux sensor or auditd within the WSL distribution, and monitor WSL process creation via Sysmon or MDE. Treat developer workstations with WSL as higher-risk endpoints that warrant enhanced monitoring.

Frequently asked questions

Can EDR products detect attacks run from within WSL?

It depends on the EDR product and configuration. Microsoft Defender for Endpoint with the MDE Linux sensor configured within the WSL distribution provides full process and network visibility for WSL activity. CrowdStrike Falcon has a WSL sensor available. SentinelOne has WSL coverage in their endpoint agent. Products without specific WSL support see WSL activity only at the Windows host process level (wsl.exe, wslhost.exe process creation) but not the individual Linux process and file operations within WSL. Check with your EDR vendor for their specific WSL coverage statement and configuration requirements.

Does WDAC or AppLocker apply to WSL binaries?

Windows Defender Application Control (WDAC) and AppLocker apply to Windows PE executables and do not natively block Linux ELF binaries running within WSL. WDAC can control whether WSL itself (wsl.exe) can run -- blocking wsl.exe effectively blocks WSL use. But if WSL is allowed to run, the Linux binaries executed within it are not subject to WDAC or AppLocker policies. This is a key gap: an application control policy that blocks common Windows attack tools (PowerShell in constrained mode, Mimikatz.exe) does not block the equivalent Linux tools run from WSL.

How do I check if a user ran specific commands in WSL?

Within the WSL distribution, the Linux command history is stored in ~/.bash_history or ~/.zsh_history. If the user has not cleared this file, historical commands are visible. For forensic investigation: access the WSL filesystem from Windows at \\wsl$\Ubuntu\home\username (while WSL is running) or directly at the .vhd file for offline analysis. Auditd configured within WSL provides structured audit records. Without auditd configured beforehand, .bash_history is the primary post-hoc forensic source within WSL.

Is WSL 1 safer than WSL 2 from a security perspective?

WSL 1 translates Linux system calls to Windows kernel calls without a separate Linux kernel -- the Linux processes run in the Windows process space and are more visible to Windows security tools. WSL 2 uses a lightweight VM with a real Linux kernel, which creates a more isolated environment with less Windows-layer visibility. From an enterprise security perspective, WSL 1 provides more transparency to Windows-side monitoring tools. However, most Linux distributions now recommend or require WSL 2 for compatibility. The practical answer: for security visibility, configure MDE Linux sensor or auditd within WSL 2 rather than attempting to rely on WSL 1 compatibility for monitoring purposes.

Can an attacker use WSL to download and execute malware that bypasses Windows Defender?

Partially. Files downloaded within WSL to the WSL filesystem (/home/user/malware) are initially not scanned by Windows Defender because the Defender AV agent does not scan the WSL virtual disk by default. An attacker can download a Linux ELF binary, compile exploit code, or fetch scripts within WSL without triggering Windows Defender signature detection. However, once a file from WSL is accessed via the Windows filesystem path (\\wsl$\Ubuntu\...) or copied to the Windows filesystem, Windows Defender scans it. Configure Defender's 'Scan mapped network drives' setting and deploy the MDE Linux sensor within WSL to close this gap. MDE Linux sensor detects malicious Linux processes regardless of which filesystem they originate from.

How do you enforce enterprise WSL policies at scale using Intune and what specific settings should be configured?

WSL enterprise policy configuration requires the WSL Intune MDM policies available in Windows 11 22H2 and later. Configure via Intune Settings Catalog (or custom OMA-URI for older builds) under the 'Windows Subsystem for Linux' category. Key policies: set 'Allow WSL' to Disabled for endpoints where WSL has no legitimate business purpose (most enterprise desktops). For environments where WSL is needed: set 'Allow WSL2' to Disabled if you require WSL 1 for its greater Windows-layer visibility. Set 'Allow the debug shell' to Disabled to prevent access to a root WSL shell that bypasses normal Windows security controls. Set 'Allow custom kernel configuration' to Disabled to prevent users from loading custom Linux kernels. Enable network mirroring mode (set NatNetwork to mirrored in .wslconfig) so WSL traffic uses Windows Firewall rules rather than a separate virtual switch. Deploy the MDE Linux sensor in WSL by including the MDE onboarding script in your WSL provisioning workflow -- MDE detects malicious Linux processes in WSL 2 environments where Windows Defender has no native visibility.

Sources & references

  1. Microsoft: WSL Enterprise Security
  2. Microsoft: Configure WSL Settings with Group Policy

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.