From cc1648e049f610c15f028a617d0880a8d2113666 Mon Sep 17 00:00:00 2001
From: Krishna Vivek Vitta <kvitta@microsoft.com>
Date: Sun, 10 Nov 2024 08:52:17 +0530
Subject: [PATCH 1/6] Add changes in troubleshooting

---
 defender-endpoint/mde-plugin-wsl.md | 45 ++++++++++++++++-------------
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 8a5102dbdd..eba35989b8 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -41,11 +41,9 @@ Be aware of the following considerations before you start:
 
 3. Running a custom kernel and custom kernel command line is not supported. Although the plug-in does not block running in that configuration, it does not guarantee visibility within WSL when you're running a custom kernel and custom kernel command line. We recommend to block such configurations with help of [Microsoft Intune wsl settings](/windows/wsl/intune).
 
-4. OS Distribution is displayed **None** in the **Device overview** page of a WSL device in the Microsoft Defender portal.
+4. The plug-in is not supported on machines with ARM64 processor.
 
-5. The plug-in is not supported on machines with ARM64 processor.
-
-6. The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
+5. The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
 
 ## Software prerequisites
 
@@ -255,6 +253,15 @@ DeviceProcessEvents
 
 ## Troubleshooting
 
+### If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
+
+- In Control Panel, go to **Programs** > **Programs and Features**.
+      
+- Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**.  This action should fix the problem by placing the right files in the expected directories.
+
+   :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
+
+
 ### The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in five minutes."
 
 :::image type="content" source="media/mdeplugin-wsl/wsl-health-check.png" alt-text="Screenshot showing PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check.png":::
@@ -357,7 +364,9 @@ Collect the networking logs by following these steps:
 
    :::image type="content" source="media/mdeplugin-wsl/wsl-health-check-overview.png" alt-text="Screenshot showing status in PowerShell output." lightbox="media/mdeplugin-wsl/wsl-health-check-overview.png":::
 
-2. Microsoft Defender Endpoint for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
+### WSL1 vs WSL2
+
+- Microsoft Defender Endpoint plug-in for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
 
    1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
 
@@ -369,29 +378,25 @@ Collect the networking logs by following these steps:
 
    5. Set the **Allow WSL1** setting to **Disabled**, to ensure that only WSL 2 distributions can be used.
 
-      Alternately, if you want to keep using WSL 1, or not use the Intune Policy, you can selectively associate your installed distributions to run on WSL 2, by running the command in PowerShell:
+   Alternately, if you want to keep using WSL 1, or not use the Intune Policy, you can selectively associate your installed distributions to run on WSL 2, by running the command in PowerShell:
 
-      ```powershell
-      wsl --set-version <YourDistroName> 2
-      ```
+   ```powershell
+   wsl --set-version <YourDistroName> 2
+   ```
 
-      To have WSL 2 as your default WSL version for new distributions to be installed in the system, run the following command in PowerShell:
+   To have WSL 2 as your default WSL version for new distributions to be installed in the system, run the following command in PowerShell:
 
-      ```powershell
-      wsl --set-default-version 2
-      ```
+   ```powershell
+   wsl --set-default-version 2
+   ```
 
-3. The plug-in uses the Windows EDR ring by default. If you wish to switch to an earlier ring, set `OverrideReleaseRing` to one of the following under registry and restart WSL:
+### Override Release ring
+
+- The plug-in uses the Windows EDR ring by default. If you wish to switch to an earlier ring, set `OverrideReleaseRing` to one of the following under registry and restart WSL:
 
    - **Name**: `OverrideReleaseRing`
    - **Type**: `REG_SZ`
    - **Value**: `Dogfood or External or InsiderFast or Production`
    - **Path**:  `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Defender for Endpoint plug-in for WSL`
 
-4. If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
-
-   1. In Control Panel, go to **Programs** > **Programs and Features**.
-      
-   2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**. This action should fix the problem by placing the right files in the expected directories.
 
-      :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::

From ed315f1386ed117dba9d868a663f34653dc7b5ca Mon Sep 17 00:00:00 2001
From: Krishna Vivek Vitta <kvitta@microsoft.com>
Date: Sun, 10 Nov 2024 09:02:04 +0530
Subject: [PATCH 2/6] Change highlighting

---
 defender-endpoint/mde-plugin-wsl.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index eba35989b8..9a04127072 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -253,7 +253,7 @@ DeviceProcessEvents
 
 ## Troubleshooting
 
-### If you see an error on launching WSL, such as "A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND", it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
+### If you see an error on launching WSL, such as `A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND`, it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
 
 - In Control Panel, go to **Programs** > **Programs and Features**.
       

From 4ad9eab7f36f798426012e20b48e939df9ce8052 Mon Sep 17 00:00:00 2001
From: Krishna Vivek Vitta <kvitta@microsoft.com>
Date: Sun, 10 Nov 2024 09:05:31 +0530
Subject: [PATCH 3/6] Fix indentation

---
 defender-endpoint/mde-plugin-wsl.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 9a04127072..23b1464612 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -253,7 +253,9 @@ DeviceProcessEvents
 
 ## Troubleshooting
 
-### If you see an error on launching WSL, such as `A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND`, it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
+### Installation failure
+
+If you see an error on launching WSL, such as `A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND`, it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
 
 - In Control Panel, go to **Programs** > **Programs and Features**.
       
@@ -366,7 +368,7 @@ Collect the networking logs by following these steps:
 
 ### WSL1 vs WSL2
 
-- Microsoft Defender Endpoint plug-in for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
+Microsoft Defender Endpoint plug-in for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
 
    1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
 

From 5e5e6b37534a9c7f8e8b17acaa1bd835add23754 Mon Sep 17 00:00:00 2001
From: Krishna Vivek Vitta <kvitta@microsoft.com>
Date: Mon, 11 Nov 2024 09:58:30 +0530
Subject: [PATCH 4/6] Add KB article

---
 defender-endpoint/mde-plugin-wsl.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 23b1464612..5013924c3a 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -95,6 +95,7 @@ If your Windows Subsystem for Linux isn't installed yet, follow these steps:
 
 > [!NOTE]
 > If `WslService` is running, it stops during the installation process. You do not need to onboard the subsystem separately. Instead, the plug-in automatically onboards to the tenant the Windows host is onboarded to.
+> Microsoft Defender for Endpoint update for plug-in for WSL [KB Update](https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-plug-in-for-wsl-9f4b2ddc-c47f-4c59-bd02-a3456c667966).
 
 ## Installation validation checklist
 

From 2668c8b6901b715a92b270b7d03ba88e3fc28cc5 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 11 Nov 2024 09:39:25 -0800
Subject: [PATCH 5/6] Update mde-plugin-wsl.md

---
 defender-endpoint/mde-plugin-wsl.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 5013924c3a..6b681f28e5 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.custom:
 - partner-contribution
 audience: ITPro
-ms.date: 10/24/2024
+ms.date: 11/11/2024
 search.appverid: MET150
 ---
 

From 7a6305376ee2f3caa083416eb3bd63ca495ce00e Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 11 Nov 2024 09:46:34 -0800
Subject: [PATCH 6/6] Update mde-plugin-wsl.md

---
 defender-endpoint/mde-plugin-wsl.md | 35 +++++++++++++----------------
 1 file changed, 16 insertions(+), 19 deletions(-)

diff --git a/defender-endpoint/mde-plugin-wsl.md b/defender-endpoint/mde-plugin-wsl.md
index 6b681f28e5..9020ea4c15 100644
--- a/defender-endpoint/mde-plugin-wsl.md
+++ b/defender-endpoint/mde-plugin-wsl.md
@@ -35,21 +35,19 @@ Windows Subsystem for Linux (WSL) 2, which replaces the previous version of WSL
 
 Be aware of the following considerations before you start:
 
-1. The plug-in doesn't support automatic updates on versions prior to `1.24.522.2`. On version `1.24.522.2` and later, updates are supported through Windows Update across all rings. Updates through Windows Server Update services (WSUS), System Center Configuration Manager (SCCM) and Microsoft Update catalog are supported only in the Production ring to ensure package stability.
+- The plug-in doesn't support automatic updates on versions prior to `1.24.522.2`. On version `1.24.522.2` and later. Updates are supported through Windows Update across all rings. Updates through Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM), and Microsoft Update catalog are supported only in the Production ring to ensure package stability.
 
-2. It takes a few minutes for the plug-in to fully instantiate, and up to 30 minutes for a WSL2 instance to onboard itself. Short-lived WSL container instances might result in the WSL2 instance not showing up in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Once any distribution has been running long enough (at least 30 minutes), it does show up.
+- It takes a few minutes for the plug-in to fully instantiate, and up to 30 minutes for a WSL2 instance to onboard itself. Short-lived WSL container instances might result in the WSL2 instance not showing up in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). When any distribution has been running long enough (at least 30 minutes), it does show up.
 
-3. Running a custom kernel and custom kernel command line is not supported. Although the plug-in does not block running in that configuration, it does not guarantee visibility within WSL when you're running a custom kernel and custom kernel command line. We recommend to block such configurations with help of [Microsoft Intune wsl settings](/windows/wsl/intune).
+- Running a custom kernel and custom kernel command line is not supported. Although the plug-in does not block running in that configuration, it does not guarantee visibility within WSL when you're running a custom kernel and custom kernel command line. We recommend blocking such configurations with [Microsoft Intune wsl settings](/windows/wsl/intune).
 
-4. The plug-in is not supported on machines with ARM64 processor.
+- The plug-in is not supported on machines with an ARM64 processor.
 
-5. The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
+- The plug-in provides visibility into events from WSL, but other features like antimalware, threat and vulnerability management, and response commands are not available for the WSL logical device.
 
 ## Software prerequisites
 
-- WSL version 2.0.7.0 or later must be running with at least one active distro.
-
-   Run `wsl --update` to make sure you are on the latest version. If `wsl -–version` shows a version older than `2.0.7.0`, run `wsl -–update –pre-release` to get the latest update.
+- WSL version `2.0.7.0` or later must be running with at least one active distro. Run `wsl --update` to make sure you are on the latest version. If `wsl -–version` shows a version older than `2.0.7.0`, run `wsl -–update –pre-release` to get the latest update.
 
 - The Windows client device must be onboarded to Defender for Endpoint.
 
@@ -142,9 +140,9 @@ For example, if your host machine has both `Winhttp proxy` and `Network & Intern
 > [!NOTE]
 > The `DefenderProxyServer` registry key is no longer supported. Follow the steps described earlier in this article to configure proxy in plug-in.
 
-## Connectivity test for Defender running in WSL
+## Connectivity test for Defender for Endpoint running in WSL
 
-The defender connectivity test is triggered whenever there is a proxy modification on your device and is scheduled to run every hour.
+The Defender for Endpoint connectivity test is triggered whenever there is a proxy modification on your device and is scheduled to run every hour.
 
 On starting your wsl machine, wait for 5 minutes and then run `healthcheck.exe` (located at `%ProgramFiles%\Microsoft Defender for Endpoint plug-in for WSL\tools` for the results of the connectivity test). If successful, you can see that the connectivity test was a success. If failed, you can see that the connectivity test was `invalid` indicating that the client connectivity from MDE plug-in for WSL to Defender for Endpoint service URLs is failing.
 
@@ -258,12 +256,11 @@ DeviceProcessEvents
 
 If you see an error on launching WSL, such as `A fatal error was returned by plugin 'DefenderforEndpointPlug-in' Error code: Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_FILE_NOT_FOUND`, it means the Defender for Endpoint plug-in for WSL installation is faulty. To repair it, follow these steps:
 
-- In Control Panel, go to **Programs** > **Programs and Features**.
-      
-- Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**.  This action should fix the problem by placing the right files in the expected directories.
+1. In Control Panel, go to **Programs** > **Programs and Features**.
 
-   :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
+2. Search for and select **Microsoft Defender for Endpoint plug-in for WSL**. Then select **Repair**.  This action should fix the problem by placing the right files in the expected directories.
 
+   :::image type="content" source="media/mdeplugin-wsl/plug-in-repair-control-panel.png" alt-text="Screenshot showing MDE plug-in for WSL repair option in control panel." lightbox="media/mdeplugin-wsl/plug-in-repair-control-panel.png":::
 
 ### The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in five minutes."
 
@@ -371,15 +368,15 @@ Collect the networking logs by following these steps:
 
 Microsoft Defender Endpoint plug-in for WSL supports Linux distributions running on WSL 2. If they're associated with WSL 1, you might encounter issues. Therefore, it's advised to disable WSL 1. To do so with the Intune policy, perform the following steps:
 
-   1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
+1. Go to your [Microsoft Intune admin center](https://intune.microsoft.com).
 
-   2. Go to **Devices** > **Configuration Profiles** > **Create** > **New Policy**.
+2. Go to **Devices** > **Configuration Profiles** > **Create** > **New Policy**.
 
-   3. Select **Windows 10 and later** > **Settings catalog**.
+3. Select **Windows 10 and later** > **Settings catalog**.
 
-   4. Create a name for the new profile, and search for **Windows Subsystem for Linux** to see and add the full list of available settings.
+4. Create a name for the new profile, and search for **Windows Subsystem for Linux** to see and add the full list of available settings.
 
-   5. Set the **Allow WSL1** setting to **Disabled**, to ensure that only WSL 2 distributions can be used.
+5. Set the **Allow WSL1** setting to **Disabled**, to ensure that only WSL 2 distributions can be used.
 
    Alternately, if you want to keep using WSL 1, or not use the Intune Policy, you can selectively associate your installed distributions to run on WSL 2, by running the command in PowerShell: