Sysmon Is Coming Natively to Windows 11 and Windows Server 2025

Posted on November 19, 2025

Microsoft has officially confirmed that Sysmon will become a native part of Windows 11 and Windows Server 2025, eliminating the need for separate deployments of the standalone Sysinternals version. For anyone responsible for threat hunting, detection engineering, or Windows fleet management, this is a pretty significant shift.

The announcement came directly from Mark Russinovich, who stated:

“Next year, Windows updates for Windows 11 and Windows Server 2025 will bring Sysmon functionality natively to Windows.”

This means Sysmon will no longer be an “extra” tool you have to push to endpoints. It will simply be part of the operating system — installed, updated, and managed the same way other Windows features are.

Why This Matters

Sysmon (System Monitor) has been one of the foundational tools for Windows visibility for over a decade. It provides high-fidelity telemetry for everything from process creation to driver loading, DNS queries, clipboard operations, file creation, network connections, and more.

It’s free, powerful, and widely adopted but rollout has always been the bottleneck. Ironically, Sysmon was created by Mark Russinovich (now a senior Microsoft executive), which left many people wondering why it took this long for Microsoft to bake it directly into Windows.

Large enterprises often struggle with:

  • inconsistent versions across endpoints
  • broken deployments
  • outdated configurations
  • limited coverage in remote or unmanaged devices

By baking Sysmon directly into Windows, Microsoft removes most of this operational overhead. Admins can enable it through Optional Features, and updates will be delivered through Windows Update, ensuring consistent and automatic patching across the entire estate.

From a detection standpoint, this is a huge win: more environments running Sysmon = better visibility, better logs, and more reliable detection content.

What Features Are Included?

Microsoft has confirmed that the native version will keep the standard Sysmon feature set:

  • full support for custom configuration files
  • granular event filtering
  • advanced monitoring capabilities (DNS, process tampering, file creation logs, clipboard, driver loading, registry tampering, etc.)
  • logs written directly to the Windows Event Log (as usual)

In short: it’s Sysmon just integrated, cleaner, and easier to manage.

Installing & Enabling the Native Version

Once available, Sysmon will be installable via Windows 11’s Optional features interface. After installation, enabling it works the same way as the standalone tool.

Enable Sysmon with basic monitoring

sysmon -i

Enable Sysmon with a custom configuration

sysmon -i <name_of_config_file>

This is important for detection engineers: your existing XML configuration files will still work.

Example: Monitoring Executable Creation in Sensitive Paths

Here’s a simple but useful example. Say you want to log every time a new executable is created under:

  • C:\ProgramData\
  • C:\Users\

Both common locations abused by malware and persistence mechanisms.

You can use the following Sysmon configuration:

<Sysmon schemaversion="4.90">
  <!-- Capture all hashes -->
  <HashAlgorithms>MD5,SHA256</HashAlgorithms>
  <EventFiltering>
    <!-- Log executable file creations -->
    <FileExecutableDetected onmatch="include">
      <TargetFilename condition="begin with">C:\ProgramData\</TargetFilename>
      <TargetFilename condition="begin with">C:\Users\</TargetFilename>
    </FileExecutableDetected>
  </EventFiltering>
</Sysmon>

With this configuration loaded, any new executable dropped in those folders is logged straight into Windows Event Logs, ready for SIEM ingestion or analysis.

What This Means for Defenders

Sysmon going native is one of the biggest quality-of-life improvements Windows defenders have had in years.
The implications are pretty straightforward:

  • Coverage increases — fewer excuses for missing telemetry.
  • Consistency improves — everyone runs the same version.
  • Deployment overhead disappears — MDM, GPO, and manual installs become unnecessary.
  • Updates are automated — no more outdated endpoints.
  • Detection engineering gets easier — stable, predictable event IDs across your fleet.

Most importantly, this moves Sysmon from an “optional” tool to a first-class citizen in the Windows security ecosystem.

Final Thoughts

This is a solid move from Microsoft. Sysmon has been a core visibility tool for years, and making it native brings it in line with the modern expectation that operating systems should provide deep, actionable telemetry out of the box.

For defenders, it means better log data on most enviroments. For Windows admins, it means simpler operations.

Overall, it’s a win for the entire ecosystem and long overdue.

Leave a Reply

Your email address will not be published. Required fields are marked *