Windows 11 Canary Build KB5077221 Adds Built-In Sysmon

News
Milan Stanojevic
Milan Stanojevic Shield
Windows Toubleshooting Expert
News
Reading time icon 2 min. read

Calendar icon Published on

KB5077221 canary channel

Following this month’s Patch Tuesday release, users began reporting boot loop problems with KB5077181. Microsoft is working on addressing those issues, but in the meantime, the company has now rolled out a new Windows 11 Insider Preview build to the Canary Channel.

The latest release, KB5077221 (build 28020.1611), introduces native Sysmon integration directly into Windows. Microsoft also confirmed that the current desktop watermark shows an incorrect build number, which will be corrected in a future update.

KB5077221 Brings Sysmon to Windows 11

The biggest addition in this build is native Sysmon support. Sysmon, originally part of Sysinternals, allows users to capture detailed system events for threat detection and advanced security monitoring.

With this update, Windows now includes Sysmon as an optional built-in feature. It remains disabled by default, and users must enable it manually.

To activate built-in Sysmon:

  1. Open Settings
  2. Go to Optional features
    Optional features
  3. Select More Windows features
    browser ftp not working
  4. Enable Sysmon

Alternatively, users can run the following command:

Dism /Online /Enable-Feature /FeatureName:Sysmon

After enabling the feature, run:

sysmon -i

This command works in PowerShell or Command Prompt.

Users who previously installed Sysmon from the Sysinternals website must uninstall that version before enabling the integrated Windows version.

The native Sysmon logs directly to Windows Event Log, ensuring compatibility with security tools and custom event filtering setups. Microsoft confirmed that documentation for the new integration will appear in official Windows documentation soon, though Sysmon’s core functionality remains unchanged.

Interestingly, this feature already appeared in KB5074177 for the Beta Channel, signaling a broader rollout strategy.

OneDrive Sharing Improvements

Microsoft also updated the Windows Share experience. Users can now access new “Share using” options when copying OneDrive cloud file links, making it easier to send files through other apps directly from the share window.

Source: Microsoft

These enhancements roll out only to Windows Insiders signed in with a Microsoft account and located outside the European Economic Area.

This build includes a general fix to correct the desktop watermark so it displays the accurate build number going forward.

For those who prefer testing features in more stable Insider branches, Microsoft also released KB5077201 to the Beta Channel and KB5077202 to the Dev Channel.

Canary Channel users can download KB5077221 now and explore the new built-in Sysmon functionality ahead of its broader release.

More about the topics: KB5077221

Milan Stanojevic

Milan Stanojevic Shield

Windows Toubleshooting Expert

Milan has been enthusiastic about technology ever since his childhood days, and this led him to take interest in all PC-related technologies. He's a PC enthusiast and he spends most of his time learning about computers and technology. Before joining WindowsReport, he worked as a front-end web developer. Now, he's one of the Troubleshooting experts in our worldwide team, specializing in Windows errors & software issues.

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages