Microsoft to Integrate Sysmon into Windows 11 and Server 2025

Microsoft has announced that it will integrate the popular tool Sysmon directly into Windows 11 and Windows Server 2025 in 2026. The announcement was made by Mark Russinovich, creator of Sysinternals.

Sysmon Overview

Sysmon (System Monitor) is a free Microsoft Sysinternals tool for monitoring and blocking suspicious activity on Windows. Events are logged to the Windows Event Log, making the tool valuable for threat hunting and diagnostic purposes.

By default, Sysmon tracks basic events like process creation and termination. However, using custom configuration files, it can monitor process tampering, DNS queries, executable file creation, clipboard changes, automatically back up deleted files, and more.

Current Limitations and Native Integration Benefits

Currently, Sysmon must be installed individually on each device, which complicates management in large IT environments. Native support is expected to solve this problem, as users will be able to install the tool via "Optional features" in Windows 11 and receive updates directly through Windows Update.

Microsoft has promised to retain all standard functionality, including support for custom configurations and advanced event filtering.

Deployment and Management

After installation, administrators will be able to enable Sysmon via the command line (sysmon -i or for monitoring with a custom config: sysmon -i <config_file_name>).

Future Enhancements

Microsoft representatives stated that in 2026, they will release comprehensive documentation for Sysmon, add new management features for enterprises, and introduce AI-powered threat detection capabilities.