WSL Is Not Optional
At a regulated bank, nobody has to ban WSL. It is enough that nobody owns saying yes.
That is how Linux ends up living on a jumphost. And how developers end up commuting to it.
The Part That Is Not Up for Debate
The modern toolchain assumes Linux. Containers are Linux processes, the build scripts are bash, and the tools that glue a pipeline together are Linux-first, every one of them. The AI coding agents we are all adopting assume a POSIX shell underneath them, and at Build this year Microsoft put its agent containment layer directly into Windows and WSL, as I wrote in the Build verdict. When the vendor that owns the corporate desktop ships its own future inside the Linux subsystem, the debate about whether bank developers need Linux is over. They need it. The only open question is on what terms they get it.
I have lived both sides of that question: I write code, and I run enterprise architecture, so the friction I feel in the morning comes back to me in the afternoon as a ticket queue and a risk conversation. The developer in me and the architect in me have been arguing about Linux on the laptop for years.
Both of them answer to the same constraint. In a midsize bank, the DevOps, IT, and security teams are small. Capable, but small, and stretched across everything from core banking to the phone system. Every clever idea about developer experience lands on people who were already busy.
The Commute
When the only sanctioned Linux is a jumphost, the day looks like this. You open the remote session, and your real development environment is somewhere else: a shared Windows VM with WSL enabled, an SSH box, a cloud VM, depending on your team and which year its exception was granted. The inconsistency is not an accident. Each setup was somebody’s one-time answer to the same unowned question.
Keystrokes arrive a beat behind your fingers. The session drops at 11:58 with your debugger mid-flight and takes your terminal state with it. Files cross the boundary through whatever transfer mechanism survived the last audit, slowly. The clipboard works, except when it does not. Your tools live where your editor is not. None of this shows up in a metric, because what the commute costs is attention, and attention is the one thing nobody meters.
The proxy still finds you there, too. The first curl inside any bank network gets answered by TLS inspection before it reaches the internet: unable to get local issuer certificate. Fixing the system trust store fixes nothing else; pip, node, the JVM, and docker each carry their own. The fix is documented by developers, in blog posts, for each other, because the failure lives in the seam between two vendors’ products and neither one claims it.
The Jumphost Is Not a Dumb Answer
I want to be fair to the jumphost, because it is not stupidity, it is an answer. Bank examiners work from the FFIEC handbook, and their questions are reasonable: is the asset inventory complete, does endpoint protection cover everything, can you produce logs. A jumphost answers all three cleanly. One place, fully instrumented, contained, and off the developer’s laptop entirely.
The jumphost exists because the security question had an owner and the developer experience question did not. It was designed as an answer to an examiner, and as that, it works. As the place where engineers spend eight hours a day, it is a tax that compounds every keystroke. That is the compliance tax at its purest: legitimate in origin, unexamined in cost.
Nobody Owns the Yes
At most institutions, WSL on the laptop was never evaluated and rejected. There is no memo. The controls to govern it have existed for years: Intune has shipped WSL controls since late 2023, and the endpoint vendors have followed. What does not exist is anyone whose job is to assemble those pieces into a yes. IT owns the endpoint, security owns the risk, DevOps owns the tooling, and the subsystem that touches all three reports to none of them.
So the request bounces. IT routes it to security because it mentions certificates. Security routes it to DevOps because it is developer tooling. DevOps routes it back to IT because it is, after all, an endpoint. Nobody is wrong. Nobody owns it. Meanwhile Docker Desktop quietly turns into a $24 per user per month procurement decision that also has no owner.
Whoever owns the yes also absorbs Microsoft’s churn: mirrored networking was the recommended cure for VPN pain until a Windows update in October 2025 broke it under VPN. The platform moves monthly. A small infrastructure team absorbs change quarterly. The distance between those two clocks is exactly what an owner is for.
Make WSL Legible to Whatever You Already Run
The first rule I hold any proposal to: no new control planes. A small team cannot adopt a new console, a new agent, and a new vendor to govern one subsystem. The pitch has to land inside whatever the institution already runs, and it now can, in any of the estates you actually find in enterprises, because almost nobody is all-Microsoft.
If the estate is Microsoft: the Defender for Endpoint plug-in for WSL puts every distro in the same portal as every other endpoint, mapped to its Windows host, queryable with the SOC’s existing hunting language. The Intune settings catalog locks the knobs that should worry anyone, custom kernels, the debug shell, networking overrides, without banning the subsystem.
If the EDR is CrowdStrike, the answer has the same shape: the Falcon sensor for Windows added a WSL2 visibility plugin in mid-2025 that watches distro activity from the host. The trap worth knowing: installing the Falcon Linux sensor inside the distro buys almost nothing, because the WSL kernel is not on the supported list and the sensor drops to reduced functionality, heartbeats only. Host-side is the move, whichever vendor’s badge is on the console.
If the vulnerability scanner is Rapid7, look at what its supported-OS matrix does not list: WSL distros. The inside of the distro is dark to the scanning plane. That is not an argument against WSL. It is the strongest argument for what comes next.
Ship the Distro Like You Ship Software
Stop treating WSL as a per-developer install. Treat the distro as a build artifact, and ship it like any other internal release.
WSL supports custom distributions: a tarball with a manifest, installable by name from a private distribution list the enterprise controls. So build one in CI. Bake the corporate root into every trust store that matters, so the proxy is solved before anyone’s first curl. Preconfigure the proxy and DNS settings that survive the VPN. Include a container runtime that does not trigger a licensing conversation. Version it, hash it, publish it, and day one becomes wsl --install bank-dev and ten minutes, not a commute.
You do not even have to grow the image yourself. Red Hat now ships RHEL 8, 9, and 10 as official WSL distributions, supported for development use under a subscription, and Image Builder will produce a customized RHEL image formatted for WSL. For an institution whose servers already run RHEL, that is the whole pitch: developers working on the same enterprise Linux they deploy to, behind a vendor support contract, on the laptop. A risk committee knows what to do with that shape.
The artifact also answers the question the scanner could not. You know what is inside the distro because you built it, version by version, with the pipeline emitting the inventory as it goes. Where the visibility planes are dark, provenance carries the audit. And since WSL itself went open source in May 2025, there is no black box left in the stack to defend.

The Paved Road Beats the Commute
The jumphost survives this, doing what it is genuinely good at: heavy compute, contractor access, break-glass administration. But as the default developer experience, remote-everything is losing its alibi. Even Microsoft’s flagship cloud workstation answer, Dev Box, is now in maintenance mode. The local loop is not going away.
And the unowned gap does not stay empty. It fills with Git Bash, portable binaries, and whatever else fits through the cracks: the exact unmanaged shadow assets IBM’s breach research keeps finding in roughly a third of breaches. Or it fills with a resignation letter from the engineer somebody spent a year recruiting. The cheapest control available is making the sanctioned path the fastest one.
What I Cannot Promise You
The honest part. Microsoft’s own enterprise guidance lists what is still unsupported: you cannot patch what is inside a distro with Windows tooling, you cannot fully control which distros users sideload, and root inside the distro is not yours to take away. The visibility story is eyes, not hands, on every estate: Defender’s plug-in sees but cannot run response actions, Falcon’s plugin watches from the host, and the scanner does not see in at all. Mirrored networking will probably break again on some future Windows update.
And the golden image needs an owner, which is the same unowned yes this whole post is about, now with a build pipeline attached. A paved road is a commitment, not a purchase. Somebody has to care enough to read the release notes, and in my experience that ends up being whoever wrote the post arguing for it.
Where This Lands
The trajectory is good. WSL is open source, RHEL is an official citizen, the endpoint vendors can finally see the subsystem, and the gap between Linux as a guest and Linux as a managed member of the fleet narrows with each release. Until it closes, the institutions that treat their developers’ Linux like a product, versioned, governed, and shipped, will keep both their examiners and their engineers. The ones that keep it on a jumphost will keep neither.
What makes this urgent is not the developers. An AI coding agent cannot commute to a jumphost; its whole value is the tight local loop between editor, shell, and repo. The agents are coming to the laptop, and they will need a governed Linux waiting there when they arrive. That is the next post.
If this resonated, the companion read is Microsoft Conceded the Harness. Then It Moved the Moat., where the agent containment layer that now lives inside WSL changes what the subsystem is for.
If you are fighting this same fight at your institution, especially if you found a better answer to the golden-image ownership problem, I want to hear it. Find me on X @orestesgarcia or LinkedIn /in/setsero.