Microsoft has started rolling out built-in Sysmon functionality to some Windows 11 systems enrolled in the Windows Insider program.
Microsoft first revealed plans to integrate Sysmon natively into Windows 11 and Windows Server in November, when it also confirmed that it will soon release detailed documentation.
Sysmon (short for System Monitor) is a free Microsoft Sysinternals tool (and a Windows system service and device driver) that monitors for and blocks malicious/suspicious activity, logging it to the Windows Event Log.
While it monitors basic events, such as process creation and termination, by default, it can also be configured to monitor more complex behavior, including executable file creation, process tampering, Windows clipboard changes, and even automatically backing up deleted files.
Although Sysmon is a very popular tool for diagnosing persistent Windows issues and for threat hunting, it normally needs to be installed manually on each device, which makes it harder to manage and deploy in large IT environments.
“Windows now brings Sysmon functionality natively to Windows. Sysmon functionality allows you to capture system events that can help with threat detection, and you can use custom configuration files to filter the events you want to monitor,” the Windows Insider program team announced on Tuesday.
“The captured events are written on the Windows event log, enabling them to be used with security applications and a wide range of use cases.”
Although Sysmon is now natively supported in Windows, it’s disabled by default, and users must explicitly enable it through the following procedure (it’s important to note that you must uninstall the Sysmon installed from the website before enabling the built-in Sysmon):
- Go to Settings > System > Optional features > More Windows features > checking Sysmon or in PowerShell or command prompt:
- Run the following command from PowerShell or the Command Prompt to complete the installation:
The new optional Sysmon capabilities are rolling out to Windows Insiders in the Beta and Dev channels who have installed Windows 11 Preview Build 26220.7752 (KB5074177) and Windows 11 Preview Build 26300.7733 (KB5074178), respectively.
Last month, Microsoft also began testing a new policy that allows IT admins to uninstall the AI-powered Copilot digital assistant from managed devices.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.