Install Sysmon using Microsoft Intune

CAUTION: Arctic Wolf does not recommend upgrading to Sysmon version 15.20 due to a compatibility issue with the Arctic Wolf Agent. A fix will be released with Agent version 2026-01+.

You can install Sysmon on multiple Windows endpoints using Microsoft Intune® and Sysmon Assistant.

When Sysmon is installed on a device:
  • The Arctic Wolf configuration is applied and set by default when Arctic Wolf Agent and Sysmon are installed on a device without a previous Sysmon configuration. If a different configuration already exists, it will not be overwritten.
  • The installation method does not affect how the Arctic Wolf Agent interacts with Sysmon.
  • The location of Sysmon.exe does not change the behavior of Sysmon on the system because it runs as a service and a separate driver.
  • Sysmon events are forwarded to Arctic Wolf regardless of the Sysmon installation method and configuration. But, the Arctic Wolf pipeline is optimized to work with Arctic Wolf configurations. If you use your own configuration, some events might not be alerted on.

These resources are required:

  • Arctic Wolf®Agent

    See Install Arctic Wolf Agent for more information.

  • One of these operating systems (OS):
    • Windows 10 or newer for 64- and 32-bit systems
    • Windows Server 2016 or newer for 64-bit systems
    Note: Agent OS minimum requirements are different from Sysmon minimum OS requirements. If you are installing Sysmon, make sure that you are installing the appropriate version for your OS. For older operating systems that Agent supports but Sysmon does not, we recommend that you upgrade to a current version of the OS. Arctic Wolf cannot support you with any configuration issues for older versions of Sysmon.

These actions are required:

  • Download the Sysmon.zip file for the latest Sysmon version, which includes the executable files, from the Microsoft website.
  • If you want to use Sysmon Assistant to install Sysmon, in the Arctic Wolf Unified Portal, click Resources > Downloads, go to the Sysmon section, and then click Download Assistant to download the SysmonAssistant.zip file.
  • Extract Sysmon.zip and SysmonAssistant.zip and save these Sysmon Assistant installation files in the same folder.

Add the Win32 app to Intune

  1. Download and install the Intune application packager.

    See Microsoft documentation for more information.

  2. Install the Microsoft Win32 Content Prep Tool. This allows you to convert a file to a .intunewin file to upload for distribution.
  3. Run this command:
    BASH 
    IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>

    Where:

    • setup_folder is the source folder containing Sysmon Assistant or the Sysmon executable.
    • source_setup_file is the filename of the source file, which is either the Sysmon Assistant MSI file or the Sysmon executable.
    • output_folder is the location of the new .intunewin file.

Add Sysmon to Intune

  1. Sign in to the Microsoft Intune admin center.
  2. Click Home > Apps > Windows Apps.
  3. Click Add, and complete these fields:
    • App type — Select Windows App (Win32).
    • Select app package file — Select the .intunewin file that was generated in Step 1.
  4. Click Ok.
  5. In the App information section:
    1. Click Select file, and then add the .intunewin file.
    2. In the Name field, enter AW Sysmon - version, for example AW Sysmon - 15.12.
    3. In the Description field, enter a description.
    4. In the Publisher field, enter Microsoft.
    5. In the App Version field, enter the Sysmon version, for example 15.12.
    6. Set Show this as a feature in the Company Portal, to No.
  6. In the Program section:
    Note: Sysmon Assistant install and uninstall commands will auto populate. If you are using raw Sysmon executable for installation, you will need to manually key in install and uninstall commands.
    1. In the Install command field, do one of these actions:
      • If you are using Sysmon Assistant — Enter this command:
        BASH 
        msiexec /i <assistant_filename>.msi /qn

        Where:

        • assistant_filename is the name of the Sysmon Assistant MSI file.
      • If you are not using Sysmon Assistant — Enter this command:
        BASH 
        <sysmon_filename>.exe -i -accepteula

        Where:

        • sysmon_filename is the name of the Sysmon EXE file.
    2. In the Uninstall command field, do one of these actions:
      • If you are using Sysmon Assistant — Enter this command:
        Note:

        The GUID automatically populates when you use the .intunewin package.

        BASH 
        msiexec /x "<guid>" /qn

        Where:

        • guid is the GUID of the application.
      • If you are not using Sysmon Assistant — Enter this command:
        BASH 
        <sysmon_filename>.exe -u force

        Where:

        • sysmon_filename is the name of the Sysmon EXE file.
    3. Set Allow available uninstall, to No.
    4. In the Device restart behavior list, select No specific action.
  7. In the Requirements section, select the appropriate Operating system architecture and Minimum operating system values.
    Note: If you are running both 32-bit and 64-bit systems, create a unique Intune App for each OS.
    • If you are using Sysmon Assistant, you can leverage the same installation package, but the executable file for detection is sysmon.exe for 32-bit systems and sysmon64.exe for 64-bit systems.
    • If you are not using Sysmon Assistant, you will need unique packages to target the appropriate Sysmon executable for installation.
  8. In the Detection rules section, in the Rules format list, select Manually configure detection rules, click Add, and complete these fields:
    Tip:

    Click next to a field name for more information.

    • Rule type — The type of detection rule you are configuring, for example, File.
    • Path — Full path of the folder that contains the file to detect, for example, C:\windows\.
      Note:

      Do not use special characters.

    • File or folder — Name of the file or folder to detect, for example, sysmon64.exe.
    • Detection method — Method used to validate the presence of the application, for example, String (version).
    • Operator — The type of operator, for example, Equals.
    • Value — The Sysmon version in the format Sysmon version.0.0, for example Sysmon 15.12 would be 15.12.0.0. To output the version, run one of these commands, Sysmon64 -c or Sysmon -c.
    • Associated with a 32-bit app on 64-bit clients — Select Yes for path environment variables in 32-bit context on 64-bit clients. Select No for path variables in 64-bit content on 64-bit clients.
      Note:
      • The default setting is No.
      • 32-bit clients always use 32-bit context.
  9. In the remaining sections, keep the default settings.
  10. In the Assignments section, select the device group that you want to target.
    1. Change End User Notifications to Hide all toast notifications.
  11. In the Review + save section, add the application.

Deploy a Sysmon Update

  1. Download the new version of Sysmon, and recreate the .intunewin file following Step 1.
  2. Repeat Step 2.1-2.8 to create a new app.
  3. In the Supersedence section, do one of these actions:
    1. If you are using Sysmon Assistant, click the Uninstall previous version toggle to the No position.
    2. If you are using a raw Sysmon executable, click the Uninstall previous version toggle to the Yesposition.
    Note: Intune will recognize this new app as the most recent version and deploy it to new endpoints, while updating endpoints with the previous version installed. It will stop deploying the older version.
  4. In the Assignments section, do these actions:
    1. Click the device group that you want to target.
    2. In the Edit assignment pane, in the End User Notifications to Hide list, select Hide all toast notifications.
  5. In the Review + save section, add the application.