Sysmon - Deployment issues via SCCM RRS feed

  • Question

  • Has any one seen issues with Sysmon deployment with SCCM, in our case we are seeing the following issues:

    Wednesday, July 26, 2017 5:22 AM

All replies

  • was too quick to post it-
    - Sysmon is only logging Network activity(i.e. Event Code = 3) and nothing else on large number of hosts
    - You got to invoke Sysmon from the directory where the SCCM stored the Sysmon binaries(i guess the installation is not setting the environment variables or some sort so that it is accessible)
    Wednesday, July 26, 2017 5:27 AM
  • Long story, short. Sysmon/Sysmon64 has a couple of bugs. One is the following.

    Sysmon/Sysmon64 Installation BUG

    Sysmon/Sysmon64 does not install correctly when installation is performed from a directory under %SystemRoot%

    More Information

    SysmonDrv.sys is created by Sysmon.exe/Sysmon64.exe during installation ONLY. If the file is deleted, it is NOT recreated. When installation is performed from a directory under %SystemRoot%, the SysmonDrv.sys file is not created even though Sysmon/Sysmon64 states SysmonDrv installed (erroneously).


    Perform the installation of Sysmon/Sysmon64 from an executable located in a folder that is not under %SystemRoot%.

    This will create/recreate the SysmonDrv.sys file as expected.

    • Proposed as answer by TenOf11 Friday, May 3, 2019 3:59 PM
    Monday, November 19, 2018 3:43 PM
  • Hello

    thanks for posting this. I have added this to the Sysmon product backlog


    MarkC (MSFT)

    Wednesday, November 28, 2018 7:31 PM
  • I would like to add that the 10.1 binary still has an issue installing through SCCM. 

    I've actually found that, for no discernible reason that I can find - the exe is moved to C:\windows\CCMTemp\

    My SCCM cache folder is C:\Windows\CCMCACHE\XX

    This results in either (over 500 PCs to test): 

    sysmon installs but the service is created to the temp folder and appears quite limited in functionality

    sysmon  fails to install and exits with 999 (according to PSAppDeployToolkit) - I can not actually replicate this, even while launching sysmon as SYSTEM with PSExec on the same computers.  I cannot find the error 999. 

    --------------------------------------- |Failure to plan is a plan for failure| ---------------------------------------

    Friday, June 28, 2019 5:47 PM
  • Just started to observe this behavior (Sysmon installed into CCMTEMP) in our environment as well after upgrading our ConfigMgr build to 1902.

    I'm hearing it's some undocumented new behavior in ConfigMgr which fools around with environment variables of applications during install for applications meeting some specific, perceived to be security related, condition.

    To work around the problem we simply updated the batch file which installs sysmon to change the the value of the TEMP environment variable to what we expect it should be just prior to the install of sysmon.  Silly stuff.

    And to echo what Ape said (limited in functionality), I'm fairly certain sysmon was not honoring our config exclusions correctly when running out of CCMTEMP.  

    • Edited by dstaulcu Saturday, June 29, 2019 5:58 PM
    Saturday, June 29, 2019 5:08 AM
  • Here is how I figured it out:

    --------------------------------------- |Failure to plan is a plan for failure| ---------------------------------------

    Monday, July 8, 2019 2:32 AM
  • Hello

    quick update on this. We have resolved the issue and the fix will be available in the 10.3 release


    18 hours 40 minutes ago