Microsoft has begun to introduce native Sysmon capabilities for certain Windows 11 systems that are part of the Windows Insider program. This exciting update follows Microsoft's announcement in November, when they outlined their plans to seamlessly integrate Sysmon into both Windows 11 and Windows Server, alongside a promise for comprehensive documentation to accompany this new feature.
Sysmon, which stands for System Monitor, is a free tool developed by Microsoft as part of its Sysinternals suite. This tool serves as a Windows system service and device driver, aimed at detecting and logging potentially harmful or suspicious activities directly to the Windows Event Log. While Sysmon provides basic monitoring features for events such as process creation and termination, it can also be customized to track more intricate behaviors like the creation of executable files, attempts at process tampering, modifications made to the Windows clipboard, and even automatic backups of deleted files.
Historically, Sysmon has been a favored tool among IT professionals for troubleshooting persistent issues within Windows environments and conducting threat-hunting activities. However, the traditional necessity of manually installing Sysmon on each individual device has posed challenges, particularly in large-scale IT settings where management and deployment can become cumbersome.
In a recent update from the Windows Insider program team, they shared, "With the introduction of Sysmon functionality natively in Windows, users can now capture system events that are crucial for threat detection. Additionally, custom configuration files allow for the filtering of specific events that need monitoring." The collected events will be logged in the Windows event log, making them accessible for security applications and adaptable to various use cases.
Despite the fact that Sysmon is now integrated directly into Windows, it remains disabled by default. Users looking to take advantage of this feature must enable it manually through a straightforward procedure. It's essential to uninstall any previous Sysmon installations from external sources before activating the built-in version. Here’s how you can do it:
Navigate to Settings > System > Optional features > More Windows features and check the box for Sysmon, or alternatively, use PowerShell or the command prompt with the command:
- Dism /Online /Enable-Feature /FeatureName:Sysmon
To finalize the installation, execute the following command in PowerShell or Command Prompt:
- sysmon -i
These new Sysmon capabilities are currently being rolled out to Windows Insiders participating in the Beta and Dev channels who have updated to Windows 11 Preview Build 26220.7752 and 26300.7733, respectively.
In addition to the Sysmon updates, Microsoft recently initiated tests for a new policy that will enable IT administrators to uninstall the AI-driven Copilot digital assistant from managed devices.
The landscape of IT infrastructure is evolving rapidly, leaving behind traditional manual workflows. If you're curious about how your team can streamline operations, reduce hidden delays, enhance reliability through automation, and construct scalable workflows utilizing familiar tools, be sure to check out the latest guide from Tines.
