KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Windows Devices Missing Defender For Endpoint WSL Plugin

Query

# *Identify Windows Devices Missing Defender for Endpoint WSL Plugin*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |


#### Description
This rule identifies Windows devices that are onboarded to Microsoft Defender for Endpoint but do not have the Defender for Endpoint plugin for Windows Subsystem for Linux (WSL) installed. This helps in ensuring comprehensive security coverage for WSL environments.
Check out the Installation Instructions on Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) https://learn.microsoft.com/en-us/defender-endpoint/mde-plugin-wsl


#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://learn.microsoft.com/en-us/defender-endpoint/mde-plugin-wsl

## Defender XDR
```KQL
let ActiveWindowsDevices = 
    DeviceInfo
    | where Timestamp > ago(30d)
    | where OSPlatform startswith "Windows"
    | summarize arg_max(Timestamp, *) by DeviceId
    | where isnotempty(DeviceName)
    | where OnboardingStatus == "Onboarded"
    | project DeviceId, DeviceName, OSPlatform, OSVersion;
// Identify all devices that have the WSL plugin installed
let DevicesWithWslPlugin = 
    DeviceTvmSoftwareInventory
    | where SoftwareName has "Defender for Endpoint plug-in for WSL" or SoftwareName has "DefenderPluginForWSL"
    | summarize by DeviceId;
// Combine the tables and display "yes" or "no"
ActiveWindowsDevices
| extend WslPluginInstalled = iif(DeviceId in (DevicesWithWslPlugin), "yes", "no")
| sort by DeviceName asc
// Optional Filter for Devices with missing WSL Plugin
//| where WslPluginInstalled == "no"
// Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) https://learn.microsoft.com/en-us/defender-endpoint/mde-plugin-wsl
```

Explanation

This query is designed to identify Windows devices that are part of Microsoft Defender for Endpoint but do not have the Defender for Endpoint plugin installed for the Windows Subsystem for Linux (WSL). Here's a breakdown of what the query does:

  1. Active Windows Devices:

    • It first gathers a list of Windows devices that have been active in the last 30 days.
    • It ensures these devices are onboarded to Microsoft Defender for Endpoint.
    • The resulting list includes details like Device ID, Device Name, OS Platform, and OS Version.

  2. Devices with WSL Plugin:

    • It identifies devices that have the Defender for Endpoint plugin for WSL installed by checking the software inventory for specific software names related to the plugin.

  3. Comparison and Output:

    • It compares the list of active Windows devices with the list of devices that have the WSL plugin installed.
    • For each device, it adds a column indicating whether the WSL plugin is installed ("yes" or "no").
    • The results are sorted by device name for easy viewing.

  4. Optional Filtering:

    • There is an optional filter (commented out) that can be used to show only devices missing the WSL plugin.

This query helps ensure that all Windows devices using WSL are adequately protected by having the necessary Defender plugin installed.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 14, 2026

Tables

DeviceInfoDeviceTvmSoftwareInventory

Keywords

WindowsDevicesDefenderEndpointWSLPluginSecurity

Operators

let|where>ago()startswithsummarizearg_max()byisnotempty()==projecthasorextendiif()insort byasc

Actions