Windows 11 Insider Preview Build 28020.1611 (Canary) introduces native Sysmon (disabled by default; uninstall existing Sysmon first). Enable via Settings, DISM, or sysmon -i. Adds OneDrive link sharing in the Share window (rolling out outside EEA), fixes the desktop watermark, staged Canary rollouts.
Windows 11 Insider Preview Build 28020.1611 reached the Canary Channel with two primary updates and stability notes. The release introduces native Sysmon and OneDrive share improvements alongside a watermark fix.
Main feature/change and impact
Built-in Sysmon is now included natively in Windows 11 in this Canary build. This integrates Sysmon event capture directly into the Windows event log for use by SIEMs and EDR tools. Administrators can enable Sysmon through Settings or DISM and must run sysmon -i to complete installation. This change reduces dependency on separate Sysinternals installs and standardizes event collection across managed endpoints.Practical implications
Security teams must update deployment documentation and update onboarding scripts. Existing Sysmon installs must be removed before enabling the built-in feature. The OneDrive share flow now offers “Share using” options after Copy link, enabling faster app-based distribution for Microsoft account users outside the EEA. The desktop watermark bug showing the wrong build number is fixed, but Canary builds remain unstable and may lack full documentation.Built-in Sysmon is disabled by default and must be explicitly enabled.The release means security telemetry can be more consistent across Windows devices once enabled. Insiders and IT teams should test enabling Sysmon in lab environments and report issues via Feedback Hub.
Key points from the article:
Related Coverage:
- Announcing Windows 11 Insider Preview Build 26300.7733 (Dev Channel)
- Announcing Windows 11 Insider Preview Build 26220.7755 (Beta Channel)
- Announcing Windows 11 Insider Preview Build 28020.1546 (Canary Channel)
From the Windows Blog
