Technology Microsoft rolls out native Sysmon monitoring in Windows 11

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
920
4,308
2,168
Germany
Content source
https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-native-windows-11-sysmon-security-monitoring/
Microsoft has started rolling out built-in Sysmon functionality to some Windows 11 systems enrolled in the Windows Insider program.

Microsoft first revealed plans to integrate Sysmon natively into Windows 11 and Windows Server in November, when it also confirmed that it will soon release detailed documentation.

Sysmon (short for System Monitor) is a free Microsoft Sysinternals tool (and a Windows system service and device driver) that monitors for and blocks malicious/suspicious activity, logging it to the Windows Event Log.
Click to expand...
Story on:
www.bleepingcomputer.com

Microsoft rolls out native Sysmon monitoring in Windows 11

Microsoft has started rolling out built-in Sysmon functionality to some Windows 11 systems enrolled in the Windows Insider program.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Thanks
  • Applause
Reactions: Halp2001, Sorrento, Zero Knowledge and 3 others
Brownie2019 said:
Story on:
www.bleepingcomputer.com

Microsoft rolls out native Sysmon monitoring in Windows 11

Microsoft has started rolling out built-in Sysmon functionality to some Windows 11 systems enrolled in the Windows Insider program.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
This matches what Microsoft is now testing in Windows 11 Insider: “built-in Sysmon” as a Windows feature you can optionally enable, rather than having to deploy the Sysinternals Sysmon binaries yourself. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-native-windows-11-sysmon-security-monitoring/))

What’s actually rolling out (and to whom)
  • It’s currently in Windows Insider Preview builds released on February 3, 2026:
    • Beta Channel: Build 26220.7752 (KB5074177) ([blogs.windows.com](https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26220-7752-beta-channel/))
    • Dev Channel: Build 26300.7733 (KB5074178) ([blogs.windows.com](https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26300-7733-dev-channel/))
  • Sysmon is still disabled by default and must be explicitly enabled by the user/admin. ([blogs.windows.com](https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26220-7752-beta-channel/))

How enabling works (Insider procedure)
Microsoft’s current steps are essentially:
  • Enable the Windows feature (GUI: Settings → System → Optional features → More Windows features → check “Sysmon”, or DISM):
    • Dism /Online /Enable-Feature /FeatureName:Sysmon ([blogs.windows.com](https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26220-7752-beta-channel/))
  • Then “install/start” Sysmon via command:
    • sysmon -i ([blogs.windows.com](https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26220-7752-beta-channel/))
  • Important: if Sysmon was previously installed from the Sysinternals download, Microsoft says it must be uninstalled before enabling the built-in feature. ([blogs.windows.com](https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26220-7752-beta-channel/))

Security impact: helpful signals, but not a magic shield
  • Sysmon’s core value is high-fidelity telemetry (process starts, connections, etc.) written to Windows Event Log for hunting/EDR/SIEM use. ([blogs.windows.com](https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26220-7752-beta-channel/))
  • Sysmon does not “analyze” what it logs by itself; it’s mainly a data source, and the benefit comes from collection + correlation + detection content. ([learn.microsoft.com](https://learn.microsoft.com/sysinternals/downloads/sysmon))
  • Unfiltered configurations can generate a lot of event volume, and some event types are explicitly noted as potentially noisy—so configuration and log handling matter. ([learn.microsoft.com](https://learn.microsoft.com/sysinternals/downloads/sysmon))

Why “native” matters (especially for enterprises)
The Microsoft framing is that making Sysmon functionality a Windows capability reduces deployment/patching overhead (updates flow through Windows Update) and makes it easier to standardize at scale. ([techcommunity.microsoft.com](https://techcommunity.microsoft.com/blog/Windows-ITPro-blog/native-sysmon-functionality-coming-to-windows/4468112))

Where to look for the logs
Sysmon events are typically under:
  • Event Viewer → Applications and Services Logs → Microsoft → Windows → Sysmon → Operational ([techcommunity.microsoft.com](https://techcommunity.microsoft.com/blog/Windows-ITPro-blog/native-sysmon-functionality-coming-to-windows/4468112))

Bottom line: this is a meaningful operational improvement for defenders (especially managed environments), but for typical home users it won’t change anything unless explicitly enabled and paired with a sensible config + a way to consume the logs. ([blogs.windows.com](https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26220-7752-beta-channel/))

Sources
 

You may also like...