Microsoft is running Windows 11 Insider Preview Build 28020.1611 (KB5077221) To the Canary Channel. As expected from a Canary build, this release focuses on initial platform changes and experimental features.
There’s also a smaller known issue: the desktop watermark currently shows the wrong build number, which Microsoft says will be fixed in an upcoming build.
Although you can check out the previous update, here’s what’s new.
Built-in Sysmon comes to Windows
One of the biggest additions to this build is native sysmon support.
Previously available as a separate Sysinternals download, Sysmon (System Monitor) is now integrated directly into Windows as an optional feature. IT professionals and security teams widely use Sysmon to monitor detailed system activity to detect threats.
what does sysmon do
Sysmon captures and logs system-level events, including:
- process creation
- network connection
- file change
- driver loading activity
These events are written to the Windows event log, where they can be analyzed by security tools or SIEM platforms.
How to enable built-in sysmon
Sismon is disabled by default And must be enabled manually.
You can activate it through:
Setting Path:
Settings > System > Optional features > More Windows features > Enable Sysmon
Or via command line:
Dism /Online /Enable-Feature /FeatureName:Sysmon
Then complete the installation with:
Important: If you previously installed Sysmon manually Sysinternals websiteYou must uninstall it before enabling the built-in version.
Microsoft notes that the functionality of Sysmon remains unchanged – it is now part of Windows itself.
Better OneDrive sharing in Windows Share
Build 28020.1611 also extends windows share experience for OneDrive users.
When right-clicking on a OneDrive cloud file and selecting shareto click copy Link Now offers additional options below “Share using”Allows links to be sent directly through other apps.
This update is currently being released for:
- Windows Insiders signed in with a Microsoft account
- Users outside the European Economic Area (EEA)
This change is intended to make sharing cloud content within Windows faster and more intuitive.
general improvement
- The desktop watermark has been corrected to display the proper build number (although some users may still temporarily see the incorrect watermark).
Important Canary Channel Notes
As a reminder, the Canary channel creates:
- Represent initial platform changes
- may be unstable
- May include features that never ship publicly
- Features are rolled out gradually, often using Controlled Feature Rollout (CFR).
It takes one to close the Canary Channel clean install of windows 11Because users cannot move to lower build channels without reinstalling.
Microsoft also notes that some features may appear in the Dev or Beta channels before arriving in Canary.
what does it indicate
The integration of Sysmon into Windows marks a notable change. Bringing security monitoring tools directly into the OS reduces friction for enterprises and users who care about security.
While the Canary build is not meant for everyday systems, build 28020.1611 gives a sense of how Microsoft continues to strengthen Windows 11’s security and cloud integration.
More documentation on built-in sysmon will be posted soon.
