Microsoft is bringing Sysmon functionality to Windows 11 and Windows Server 2025 as standard. The security tool, formerly part of Sysinternals, will be integrated into the operating system itself.
Microsoft announced in November 2025 that Sysmon functionality would become available natively in Windows. The company is now rolling out the feature to Windows 11 Insider Preview Build 26220.7752. The tool is disabled by default and must be activated explicitly.
Sysmon monitors system activity and writes events to the Windows event log. The tool helps detect threats such as credential theft and lateral movements in networks. Security teams use the generated data in SIEM systems for analysis and detection.
End of operational overhead
For many IT administrators, Sysmon used to mean manual work. You had to download binaries, roll out configurations, and consistently apply updates across thousands of endpoints. This introduced risks when updates were delayed. In addition, there was no official support for production environments, which entailed additional maintenance costs.
Native integration solves these issues. Updates are automatically received via Windows Update, while compliance is automated.
Activation and configuration
Users can enable Sysmon via Settings > System > Optional features > More Windows features, or via PowerShell with the command ‘Dism /Online /Enable-Feature /FeatureName:Sysmon’. After installation, start the service with ‘sysmon -i’ via PowerShell or command prompt.
If you have already installed Sysmon from the Sysinternals website, you must first uninstall it before the built-in version can be activated. The functionality remains unchanged, including support for custom configuration files.
The tool writes events to Applications and Services Logs / Microsoft/Windows/Sysmon/Operational. Sysmon does not analyze events or generate alerts itself; it provides data for interpretation by SIEM systems. Sysmon offers detailed insights that are not normally visible in standard Windows logs.