Sysmon Installation on Windows - Multiple Endpoints

Updated Feb 12, 2024

Install Sysmon using Microsoft Intune

You can install Sysmon on multiple Windows endpoints using Microsoft Intune®.

Requirements

Before you begin

Steps

  1. Add the Win32 app to Intune.
  2. Add Sysmon to Intune.

Step 1: Add the Win32 app to Intune

  1. Download and install the Intune application packager.

    See Microsoft documentation for more information.

  2. Install the Microsoft Win32 Content Prep Tool. This allows you to convert a file to a .intunewin file to upload for distribution.

  3. Run this command:

    IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>

    Where:

    • <setup_folder> is the source folder.
    • <source_setup_file> is the filename of the source file from the previous step.
    • <output_folder> is the location of the new .intunewin file.

Step 2: Add Sysmon to Intune

  1. In the App information section:

    1. Click Select file, and then add the .intunewin file.
    2. In the Description field, enter a description.
    3. In the Publisher field, enter Microsoft.
  2. In the Program section:

    1. In the Install command field, do one of these actions:

      • If you are using Sysmon Assistant — Enter this command:

        msiexec /i <assistant_filename>.msi /q

        Where:

        • <assistant_filename> is the name of the Sysmon Assistant MSI file.
      • If you are not using Sysmon Assistant — Enter this command:

         <sysmon_filename>.exe -i -accepteula

        Where:

        • <sysmon_filename> is the name of the Sysmon EXE file.
    2. In the Uninstall command field, do one of these actions:

      • If you are using Sysmon Assistant — Enter this command:

        Note: The GUID automatically populates when you use the .intunewin package.

        msiexec /x "<guid>" /qn

        Where:

        • <guid> is the GUID of the application.
      • If you are not using Sysmon Assistant — Enter this command:

         <sysmon_filename>.exe -u

        Where:

        • <sysmon_filename> is the name of the Sysmon EXE file.
  3. In the Requirements section, specify the OS architecture and minimum OS.

  4. In the Detection rules section, in the Rules format list, select Manually configure detection rules, and enter this information:

    • The EXE file path: C:\Windows\
    • The name of the folder
    • The detection method
  5. In the remaining sections, keep the default settings.

  6. In the Assignments section, select the device group that you want to target.

  7. In the Review + create section, add the application.

See also