Identify Windows Devices Missing Defender For Endpoint WSL Plugin
Query
let ActiveWindowsDevices =
DeviceInfo
| where Timestamp > ago(30d)
| where OSPlatform startswith "Windows"
| summarize arg_max(Timestamp, *) by DeviceId
| where isnotempty(DeviceName)
| where OnboardingStatus == "Onboarded"
| project DeviceId, DeviceName, OSPlatform, OSVersion;
// Identify all devices that have the WSL plugin installed
let DevicesWithWslPlugin =
DeviceTvmSoftwareInventory
| where SoftwareName has "Defender for Endpoint plug-in for WSL" or SoftwareName has "DefenderPluginForWSL"
| summarize by DeviceId;
// Combine the tables and display "yes" or "no"
ActiveWindowsDevices
| extend WslPluginInstalled = iif(DeviceId in (DevicesWithWslPlugin), "yes", "no")
| sort by DeviceName asc
// Optional Filter for Devices with missing WSL Plugin
//| where WslPluginInstalled == "no"
// Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) https://learn.microsoft.com/en-us/defender-endpoint/mde-plugin-wslAbout this query
Identify Windows Devices Missing Defender for Endpoint WSL Plugin
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|
Description
This rule identifies Windows devices that are onboarded to Microsoft Defender for Endpoint but do not have the Defender for Endpoint plugin for Windows Subsystem for Linux (WSL) installed. This helps in ensuring comprehensive security coverage for WSL environments. Check out the Installation Instructions on Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) https://learn.microsoft.com/en-us/defender-endpoint/mde-plugin-wsl
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to identify Windows devices that are part of Microsoft Defender for Endpoint but do not have the Defender for Endpoint plugin installed for the Windows Subsystem for Linux (WSL). Here's a breakdown of what the query does:
-
Active Windows Devices:
- It first gathers a list of Windows devices that have been active in the last 30 days.
- It ensures these devices are onboarded to Microsoft Defender for Endpoint.
- The resulting list includes details like Device ID, Device Name, OS Platform, and OS Version.
-
Devices with WSL Plugin:
- It identifies devices that have the Defender for Endpoint plugin for WSL installed by checking the software inventory for specific software names related to the plugin.
-
Comparison and Output:
- It compares the list of active Windows devices with the list of devices that have the WSL plugin installed.
- For each device, it adds a column indicating whether the WSL plugin is installed ("yes" or "no").
- The results are sorted by device name for easy viewing.
-
Optional Filtering:
- There is an optional filter (commented out) that can be used to show only devices missing the WSL plugin.
This query helps ensure that all Windows devices using WSL are adequately protected by having the necessary Defender plugin installed.
Details

Benjamin Zulliger
Released: June 14, 2026
Tables
Keywords
Operators