NATIVE Sysmon has arrived in the latest Windows 11 Insider Build 26300, with Sysmon now embedded as an Optional Feature rather than requiring a standalone install. According to Windows Insider Dev Channel, the release accompanies patch KB5074178 and integrates the Sysmon monitor to maintain exhaustive system logs for forensic analysis.
Once activated, Sysmon records detailed telemetry including exact command-line arguments used by adversaries for process creation, network connections with timestamps and destination addresses, driver loading sequences, and any tampering with file creation metadata. The built-in monitor conflicts with legacy manual installations, so users must remove the standalone Sysmon before enabling the integrated monitor via the Optional Features admin panel.
The update also includes File Explorer optimisations and a fix for cloud storage stalling that affected Outlook Classic, though these changes may not appear for all users immediately as deployment follows a staggered cadence.