Sysmon comes integrated into Windows 11 for Advanced Telemetry Insider without manual facilities

Microsoft has started natively integrating Sysmon's functionality into some Windows 11 facilities within the Windows Insider program. This is a relevant change: instead of relying only on the independent version that administrators manually install from Sysinternals, now part of that advanced telemetry can be activated directly from the operating system itself.

For those who do not know it, Sysmon - abbreviation of System Monitor - is part of the Sysinternals suite and is a tool widely used by security teams and administrators to record and detect suspicious behavior on Windows machines. When configured, it captures events that go beyond the basic system records: process creation and completion, changes in executable files, process manipulations, clipboard modifications and other signals that help investigate incidents or make threat hunting. These events are written in the Windows event log, which allows them to be integrated with IMS solutions and other analysis tools. More information on the original tool is available on the official Sysinternals page: Sysmon in Microsoft Learn.

So far, one of the main friction was its large-scale deployment: Sysmon is installed separately on each team, and managing its configuration on hundreds or thousands of devices requires additional policies and processes. By providing a similar capacity integrated into Windows 11, Microsoft aims to facilitate organizations to enable such telemetry without manual facilities, although for now the function comes as an optional feature for evaluators.

Microsoft communicated the initial availability of this functionality to Windows Insider program participants, indicating that Sysmon's capabilities will be available as an optional feature in certain previous compilations. Insiders on Beta and Dev channels that have updated to the specified preview Builds can already see the option. The official ads with the details of these compilations were posted on the Windows Insider program blog: ad for Beta and ad for Dev.

It is important to stress that integrated functionality is not activated by default. Users or administrators should make it explicitly available. Microsoft also recommends removing any previous installation of Sysmon obtained from the web before activating the version that comes with Windows, to avoid conflicts. Once activated, the feature allows you to use custom configuration files to filter the events you want to collect, which is essential to reduce noise and focus on signals relevant to the detection of threats.

The activation process can be done from the Windows configuration interface, looking for the system's optional features section, or using command line tools like DISM. After enabling the feature, the installation is completed with the same command that Sysmon traditionally uses to initialize. If you prefer to consult the technical documentation on Windows image management tools and functions, the DISM documentation in Microsoft Learn is a good starting point: DISM documentation.

In addition to facilitating deployment, native integration has practical implications. For security teams it is an opportunity to homogenize the capture of events in managed environments, reduce the dependence on manual facilities and potentially lower the entry barrier for small and medium-sized organizations that do not have dedicated engineering to deploy Sysinternals tools. However, it also raises questions about control, privacy and lifecycle management: organizations should review how integrated Sysmon configurations will be managed through group policies, MDM or other management platforms.

Several specialized media have already covered the novelty and offer additional context on the arrival of integrated Sysmon and its impact: for example, a review of the news and practical recommendations on BleepingComputer and technical analysis at IT security sites. For equipment planning to adopt functionality, it is appropriate to test first in controlled environments, define configuration templates and validate that the records are sent correctly to the centralized analysis tools.

In parallel to this integration, Microsoft continues to test changes in device management policies: last month it started testing a new policy that would allow managers to uninstall Copilot of managed equipment, which shows that the company continues to refine control options for corporate environments. Keeping up with official ads and version notes from the Insider program is recommended for those who manage Windows infrastructure: in addition to the program blog, documentation pages and launch notes are the most reliable sources for planning production changes.

In short, the incorporation of Sysmon's functionality directly into Windows 11 represents a logical evolution to facilitate the capture of advanced telemetry on Windows devices. It is good news for security and adminsystem equipment that seek to simplify deployments, but requires planning: validate configurations, ensure compatibility with management processes and understand the operational implications before adopting the feature on a scale.