Microsoft Brings Native Sysmon Monitoring to Windows 11

Microsoft has started testing native System Monitor (Sysmon) integration in Windows 11, bringing advanced system activity monitoring directly into the OS. The feature is currently rolling out to Windows Insiders in the Dev and Beta channels for early evaluation.

What is Sysmon?

Microsoft first announced its plans to introduce native Sysmon functionality into Windows 11 and Windows Server at Ignite 2025 in November. Sysmon (System Monitor) is a Windows system service and device driver from Microsoft Sysinternals that enhances visibility into system activity by continuously monitoring and logging detailed events such as process creation, network connections, file changes, driver loading, and registry modifications.

Its main functionality is to provide high‑fidelity telemetry that helps security teams detect suspicious or malicious behavior, investigate incidents, and understand how attacks progress within a system. Sysmon records these events in the Windows Event Log using configurable rules, and supports threat hunting, intrusion detection, and forensic analysis without actively blocking activity.

How to enable built-in Sysmon in Windows 11?

Currently, the Sysmon feature is disabled by default in Windows 11, and IT admins will need to enable it manually through Settings or PowerShell/Command Prompt. However, keep in mind that they will first need to uninstall the Sysmon tool installed from the Sysinternals website before configuring the built-in version.

• To enable the Sysmon functionality via Settings, headover to Settings > System > Optional features > More Windows features > checking Sysmon

• To configure Sysmon through PowerShell or the command prompt, run the following command: Dism /Online /Enable-Feature /FeatureName:Sysmon
• Once enabled, administrators still need to initialize Sysmon by running: sysmon -i

Microsoft notes that this new built-in Sysmon functionality is rolling out to Windows Insiders enrolled in the Beta and Dev channels who have installed Windows 11 Preview Build 26220.7752 (KB5074177) and Windows 11 Preview Build 26300.7733 (KB5074178). However, it remains to be seen when this feature will become generally available for all Windows 11 users.

Operational and enterprise security benefits

The main benefit of making Sysmon a built‑in feature rather than an optional tool is consistency and baseline security across all systems. Organizations no longer depend on individual IT teams to discover, install, configure, and maintain it correctly. This ensures that advanced system activity logging is available by default, which helps to reduce gaps in visibility caused by misconfiguration, limited expertise, or resource constraints. This new built‑in integration should also help to improve reliability, compatibility, and performance.

Additionally, a built‑in approach lowers operational overhead and strengthens security at scale. Centralized management, standardized event formats, and native integration with Windows security tools make monitoring and incident response faster and more effective.

For organizations with limited security maturity, it helps to improve threat detection without added complexity. Moreover, advanced teams benefit from uniform telemetry across environments, which makes threat hunting, compliance, and forensic investigations more efficient in enterprise environments.