Sysmon - Deployment issues via SCCM


  • Has any one seen issues with Sysmon deployment with SCCM, in our case we are seeing the following issues:

    Wednesday, July 26, 2017 5:22 AM

All replies

  • was too quick to post it-
    - Sysmon is only logging Network activity(i.e. Event Code = 3) and nothing else on large number of hosts
    - You got to invoke Sysmon from the directory where the SCCM stored the Sysmon binaries(i guess the installation is not setting the environment variables or some sort so that it is accessible)
    Wednesday, July 26, 2017 5:27 AM
  • Long story, short. Sysmon/Sysmon64 has a couple of bugs. One is the following.

    Sysmon/Sysmon64 Installation BUG

    Sysmon/Sysmon64 does not install correctly when installation is performed from a directory under %SystemRoot%

    More Information

    SysmonDrv.sys is created by Sysmon.exe/Sysmon64.exe during installation ONLY. If the file is deleted, it is NOT recreated. When installation is performed from a directory under %SystemRoot%, the SysmonDrv.sys file is not created even though Sysmon/Sysmon64 states SysmonDrv installed (erroneously).


    Perform the installation of Sysmon/Sysmon64 from an executable located in a folder that is not under %SystemRoot%.

    This will create/recreate the SysmonDrv.sys file as expected.

    Monday, November 19, 2018 3:43 PM
  • Hello

    thanks for posting this. I have added this to the Sysmon product backlog


    MarkC (MSFT)

    Wednesday, November 28, 2018 7:31 PM