Microsoft is embedding Sysmon directly into Windows 11, eliminating manual installation and deployment challenges.
Native Sysmon improves consistency and reliability of endpoint telemetry across large enterprise environments.
The feature is currently limited to Windows Insider builds, targeting security and IT professionals.
Microsoft has launched its built-in Sysmon functionality to some Windows 11 devices registered in the Windows Insider program. In November 2025, the company first announced plans to publish comprehensive technical instructions for developers and to natively incorporate Sysmon into Windows.
Security experts are getting a first look at what might be a significant improvement to Windows' built-in security tools.
System Monitor, or Sysmon, is a well-known tool from Microsoft's Sysinternals package. It continuously monitors system activity and logs comprehensive telemetry to the Windows Event Log while functioning as a kernel-level driver and a Windows service.
Sysmon is a trusted tool for threat hunters, security operations centers (SOCs), and IT administrators trying to diagnose critical system issues.
Out of the box, Sysmon records fundamental events such as process creation and termination. But its real strength lies in its configurability. With the right custom rule sets in place, Sysmon can go much deeper, capturing granular behaviour that often reveals malicious activity. This includes:
Creation or modification of executable files
Suspicious process injection or tampering attempt
Registry changes linked to persistence mechanisms
Clipboard activity, which malware frequently abuses
File deletions, with the option to automatically back up files for forensic analysis.
Despite its popularity, Sysmon's manual installation and management on individual systems have been persistent issues. This has introduced problems, including increased complexity and additional management requirements for enterprises.
Microsoft is now addressing these issues by including Sysmon directly within Windows. According to the Windows Insider team, this allows the same flexible configuration model that Sysmon is known for to be used to capture security-related system events without relying on an installer.
This is also part of a larger trend towards native security telemetry, which refers to the ability to centrally manage capabilities that are more tightly integrated with the operating system and less susceptible to tampering or incorrect configuration.
Also Read: Microsoft Recruits Ex-Google Cloud President Hayete Gallot for Top Cybersecurity Role
Although Sysmon is now included natively in Windows 11 preview builds, it remains disabled by default. Users must explicitly enable it to ensure that system performance and logging volumes remain under administrator control.
There are a few important implementation details to keep in mind:
Any existing Sysmon installation downloaded from the Sysinternals website must be removed before enabling the built-in version.
Sysmon can be enabled either through Windows settings or via command-line tools such as DISM and PowerShell.
Once enabled, administrators still need to initialise Sysmon and apply a configuration file to specify which events to log.
This opt-in approach underscores Microsoft’s recognition that Sysmon is a powerful capability that, if misconfigured, can generate excessive logs or negatively affect system performance.
The native Sysmon feature is now rolling out to Windows Insider systems in the Beta and Dev channels. It is currently available to users running:
Windows 11 Preview Build 26220.7752 (KB5074177)
Windows 11 Preview Build 26300.7733 (KB5074178)
Sysmon’s capability and services are targeted at testers, security engineers, and IT professionals who can assess its real-world behaviour. Microsoft has yet to confirm when native support will arrive in stable, production versions of Windows 11 or Windows Server.
Also Read: How to Use the New Windows 11 Start Menu
Microsoft’s native integration of Sysmon in Windows 11 is a significant but subtle evolution in endpoint security. By removing the need for installation and maintenance, the company is reducing friction while enhancing the consistency of data safety.
This upgrade allows security professionals to have better visibility into system activity and less blind spot risk. Microsoft’s push to make advanced security capabilities a native part of the operating system reflects the company’s commitment to improving user experience. It remains to be seen how this feature will modify data safety.
1. What is native Sysmon in Windows 11?
Native Sysmon is Microsoft’s built-in version of System Monitor, providing detailed system telemetry without requiring separate installation or third-party deployment tools.
2. Who can currently access the native Sysmon feature?
It is limited to Windows Insider users on Beta and Dev channels, primarily targeting security engineers, testers, and IT professionals.
3. Is native Sysmon enabled by default in Windows 11?
No. Sysmon remains disabled by default and must be manually enabled to control performance impact and logging volume.
4. Do administrators still need configuration files with native Sysmon?
Yes. Administrators must apply Sysmon configuration files to define which system events are collected and logged.
5. Why is Microsoft integrating Sysmon directly into Windows?
The move reduces deployment friction, improves telemetry consistency, and strengthens endpoint security through tighter operating system integration.