Windows 11 Insider Preview Build 26220.7752 Adds Built-in Sysmon and CFR Rollouts

Microsoft’s latest Beta-channel preview, delivered as Windows 11 Insider Preview Build 26220.7752 (KB5074177), is a focused quality update that mixes polish, stability fixes, and a handful of staged feature rollouts — most notably the addition of built‑in Sysmon and continued Copilot-era refinements — while reminding Insiders that visibility of new experiences will depend on Microsoft’s Controlled Feature Rollout and the “Get the latest updates as soon as they’re available” toggle in Settings.

Background and context​

Windows 11’s 25H2 preview stream is being delivered through a family of enablement-style cumulative updates in the 26220.xxxx build series. Rather than exposing all changes immediately, Microsoft installs a common binary on devices and then selectively turns on features server‑side or by entitlement, a process it calls Controlled Feature Rollout (CFR). The consequence for testers and IT teams is simple: you may have the build installed but not see every change until Microsoft flips the rollout switches for your device or account.
This particular package — Build 26220.7752 (KB5074177) — continues that model. The release notes split changes into two buckets: items gradually rolled out to Insiders who have turned on the toggle to get the latest updates as soon as they’re available, and items rolling out to everyone in the Beta Channel more broadly. That distinction matters for visibility and for how organizations should plan testing and pilot deployments.

---

What’s new in Build 26220.7752 — summary of the key items​

• Built‑in Sysmon (optional, off by default). Windows now includes native Sysmon functionality that can capture detailed system events for threat detection and forensic workflows. Built‑in Sysmon is disabled by default and must be enabled via Optional Features or PowerShell, and it requires running the Sysmon installer switch to complete setup. Microsoft warns that if you already installed Sysmon from the Sysinternals website you must uninstall that earlier copy before enabling the built‑in version; documentation is promised to follow.
• Voice Access: Netherlands locale support. Voice Access has expanded locale coverage to include the Netherlands, extending accessibility support for speech-driven control in another market.
• File Explorer fixes and accessibility improvements. Multiple Explorer regressions were addressed, including keyboard navigation and access keys improvements, fixes for folder renaming with custom names, and corrected icons/tooltips for the “Add to favorites” entry.
• File sync and app hangs fixed. The update includes fixes for scenarios where apps could freeze when working with files stored on OneDrive or Dropbox; in some Outlook configurations with PSTs on OneDrive this could also hang or require a reload of email data.
• General quality and reliability fixes. As with recent 26220-series builds, this update bundles a broad set of pragmatic fixes across Start, Taskbar, Settings, and other shell areas intended to reduce frequent, high-impact regressions.

Each of these items is being rolled out either immediately or gradually depending on the CFR gates and whether the Insider has enabled the “get the latest updates as they are available” toggle in Settings > Windows Update.

---

Deep dive: Built‑in Sysmon — what changed and why it matters​

What Microsoft added​

Sysmon (System Monitor) is a mature Sysinternals tool widely used by security teams to log process creations, network connections, driver loads, and other kernel‑adjacent events that help detect malicious activity. Historically, administrators downloaded Sysmon separately from the Sysinternals site, then configured it with XML configuration files to tailor the event stream.
With Build 26220.7752, Microsoft ships Sysmon functionality natively inside Windows, making it available as an optional component. The built‑in feature writes its events into the Windows Event Log, enabling normal SIEM integrations and log‑collection pipelines to consume Sysmon records without requiring a separate download or installer — assuming an organization chooses to enable it. Microsoft notes the built‑in Sysmon remains disabled by default and must be explicitly enabled either through Settings > System > Optional features > More Windows features > Sysmon or by using PowerShell to enable the optional feature and then running the Sysmon installer command-line to complete configuration. If a prior Sysmon install exists from Sysinternals, that copy must be removed first.

Practical implications for defenders and admins​

• Lower deployment friction. Having Sysmon available as an optional Windows feature reduces friction for defenders who previously needed to manage a separate binary, signature exclusions, and deployment channels. For organizations managing large fleets, the Optional Features + PowerShell path can be integrated into imaging, configuration management, and provisioning workflows. This should simplify baseline logging adoption for incident responders and detection engineering teams.
• Policy and baseline considerations. Because built‑in Sysmon is disabled by default, organizations must decide whether to enable it broadly. Enabling will increase log volume — depending on the chosen Sysmon configuration — so IT teams should validate log storage, SIEM ingestion throttles, and retention policies before rolling out widely. Existing Group Policy/MDM controls will need to account for the optional feature and any post‑install configuration scripts used to apply a canonical Sysmon XML config.
• Compatibility and migration. Microsoft’s note that previously‑installed Sysmon should be uninstalled first is important: automated migration strategies should be developed to prevent duplicate instrumentation or conflicting service instances. Test plans must include verification that Sysmon events appear under the expected Windows Event Log channels and that any pre‑existing parsing rules (in SIEMs, for example) still work.
• Visibility caveat. The release states that official documentation will be added to Windows soon; until that documentation is published, administrators will need to rely on the Insider notes and community experiments. Treat this early availability as preview‑level functionality and pilot it on non‑production systems first.

Security analysis and risk surface​

• Positive: Native availability encourages wider adoption of host telemetry that’s invaluable for detecting living‑off‑the‑land techniques and lateral movement. Tight integration with Windows eventing can improve reliability and reduce the operational burden of third‑party deployment pipelines.
• Watchouts: Sysmon’s detailed event streams can include sensitive metadata. Organizations should carefully manage who can enable/disable the feature and ensure telemetry handling complies with internal privacy and data‑governance policies. Also, because the capability is new to Windows as an optional feature, automated management tooling and third‑party security products may need updates to discover or interpret the new “built‑in” state.

---

Usability and stability fixes: File Explorer, OneDrive/Dropbox, and Outlook​

File Explorer remains a surface where small regressions become daily productivity problems. This build addresses several standing issues: keyboard navigation and access key improvements (helpful for accessibility users), fixes around renaming folders that have custom names, and corrected icons/tooltips for “Add to favorites.” These are low‑risk, high‑value quality fixes that reduce friction for power users and those who rely on assistive technologies.
A particularly practical fix in this release targets freezes and hangs that could occur when apps interacted with files stored on cloud sync providers like OneDrive and Dropbox. The Beta notes explicitly call out an issue where apps could freeze when editing or enumerating files in cloud folders; Outlook setups with PST files kept on OneDrive could also hang or reload email data. That kind of regression affects productivity directly and is a priority to resolve for end users who keep data in cloud‑synced locations.
Operational advice for Insiders and IT:

• If you rely on OneDrive/Dropbox file storage for active PSTs or frequently edited documents, test this build in a controlled pilot before a broad deployment. The fixes reduce known friction, but cloud providers introduce many variables (client versions, placeholder file handling, network resiliency).
• Keep desktop productivity backups: do not use this or any preview build on machines that host unrecoverable, business‑critical mailboxes or data without an independent backup.
• If you see freezes after updating, restart Explorer, check sync client logs, and collect Feedback Hub traces. The release notes and community troubleshoot guides recommend standard steps (reinstall sync clients, update drivers) if symptoms persist.

---

Enablement package and rollout mechanics — what to expect​

This package is an enablement-style update for Windows 11, version 25H2. The enablement approach means the underlying platform code is largely present on target devices; the enablement package flips on or entitles specific features. That makes installations fast but also creates nonuniform behavior: two otherwise identical PCs with the same KB installed can show different UI or features depending on region, entitlement, or whether the Insider has the “get the latest updates as soon as they’re available” toggle enabled.
Microsoft uses Controlled Feature Rollout to ramp features to subsets of Insiders as telemetry and feedback permit. In practice this means:

• Features are often visible only to a percentage of devices initially.
• Rollouts may be gated by hardware class (for example, Copilot+ NPU‑equipped devices), region (EEA and China are commonly excluded early), or licensing entitlements (Microsoft 365 Copilot scenarios).
• The “Get the latest updates as soon as they are available” toggle prioritizes your device for earlier exposure; leaving it off delays visibility until Microsoft widens the rollout.

For administrators, the consequence is that internal QA matrices must account for the possibility of feature divergence: test fleets may need to include both toggle‑on and toggle‑off devices and different hardware classes to verify behavior comprehensively.

---

Accessibility and Copilot refinements​

This release continues Microsoft’s iterative work on Copilot-integrated flows. Files from prior 26220.* previews show a pattern: Copilot-related UI elements (for example, Click to Do prompt suggestions) are tuned for speed and device‑gated behavior, with exclusions for regions like the EEA in early rollouts. Build 26220.7752 continues that pattern with the Click to Do latency improvements and Copilot experience rollouts tied to entitlement and hardware.
The addition of Netherlands locale support for Voice Access is another incremental accessibility win that broadens language coverage for speech-driven control. Insiders who use voice control should validate localized commands and report any translation or localization bugs via Feedback Hub.

---

Known issues and risks you must weigh​

Even as the build fixes a raft of regressions, Microsoft documents several known issues across the 26220 series that Insiders should track:

• Secondary-monitor black‑screen problem. Some devices have reported a secondary-monitor black-screen issue that can render an external display unusable; Microsoft is tracking this and lists it among known issues for this family. Multi‑monitor and docking-station users should be cautious when piloting the preview.
• Xbox Full Screen Experience quirks and system-tray icon visibility. Elements of the Xbox FSE and intermittent system-tray icon visibility problems remain under investigation. These affect a smaller segment of users but can be disruptive depending on workflows.
• Controlled Feature Rollout unpredictability. The CFR model means testers may see inconsistent behavior between machines; this creates additional QA overhead and complicates reproduction of bugs that only affect a subset of devices or entitlements.

Flagging these issues in pilot plans is essential. Microsoft typically responds with follow-up cumulative updates once telemetry and repros guide a fix. Keep an eye on Flight Hub and the Windows Insider blog posts for the official remediation timeline.

---

How to approach testing and pilot deployment (practical checklist)​

• Inventory: Identify pilot machines that represent the diversity of your fleet — different GPU vendors, docking stations, and Copilot+ versus non‑Copilot hardware.
• Toggle strategy: Decide whether to enable the “Get the latest updates as soon as they’re available” toggle on pilot machines; enable it for early exposure but keep a controlled set with the toggle off to validate CFR differences.
• Backup: Ensure users with PSTs or other sensitive files on OneDrive have local copies before upgrading. PSTs on cloud folders are an explicitly called‑out hazard that could cause Outlook to hang; protect against data loss.
• Logging: Configure log collection (Event Viewer, Sysmon once enabled, and sync client logs) and centralize those artifacts for troubleshooting.
• Automation retesting: Because of the WinUI migrations to settings dialogs and other UI changes, revalidate any automation or RPA scripts that interact with Settings dialogs or Account flows. UI element trees may have changed.
• Driver hygiene: Update GPU and docking firmware drivers before and after the upgrade to minimize display-related regressions; many known issues correlate with driver/firmware mismatches.
• Feedback: Use Feedback Hub to provide clear repro steps, attach process dumps where appropriate, and include build numbers (Build 26220.7752 / KB5074177) to help Microsoft triage.

---

Recommendations for different audiences​

For enthusiasts and individual Insiders​

If you enjoy being on the cutting edge and can accept some instability, install Build 26220.7752 on a spare device or on your main machine only if you maintain current backups. Try the built‑in Sysmon in a lab or test VM to verify its behavior with your SIEM before enabling on endpoints with production data.

For IT administrators and security teams​

Pilot on a small, representative fleet. Validate Sysmon configuration and ingestion to your SIEM, and coordinate with security operations so increased event volume doesn’t trigger false positives. Don’t enable it wide until you’ve benchmarked storage and ingestion costs. Take the secondary‑monitor known issue seriously: test docking and multi‑monitor workflows thoroughly.

For enterprise rollout decision‑makers​

Treat this as a preview package, not a production release. Use the enablement package characteristics and CFR behavior to scope pilot cohorts, and maintain a rollback plan. Remember that some Copilot and AI features are hardware- and entitlements‑gated and may not be relevant for managed, privacy‑constrained deployments.

---

What to watch next​

• Official Sysmon documentation and migration guidance from Microsoft — the release indicates documentation will be added soon; until then treat the built‑in Sysmon as preview-level and plan cautious pilots.
• Fix timelines for the secondary-monitor black‑screen issue — this is the most consequential known issue for productivity environments, so vendor driver updates (Intel/AMD/NVIDIA) and Microsoft hotfixes are likely near the top of subsequent releases.
• Broader rollouts of WinUI-based Settings migrations — WinUI migrations are incremental but can affect automation and accessibility behavior; track further migrations to plan regression testing.
• Rollout status for Copilot features and regional availability changes — features currently excluded from the EEA and China may expand in scope, and Microsoft’s entitlement rules may evolve in response to enterprise feedback.

---

Final assessment​

Build 26220.7752 (KB5074177) continues Microsoft’s pragmatic, enablement‑package-driven approach to delivering Windows 11, version 25H2 preview functionality to Insiders. It delivers meaningful operational conveniences — most notably the option to run Sysmon natively — and it addresses a series of painful day‑to‑day bugs, particularly around File Explorer and cloud‑synced file hangs. However, the CFR model and a handful of notable known issues (especially the secondary‑monitor black‑screen reports) mean this build should be treated as a preview for testing and validation rather than a push to production. Pilots that include diverse hardware, robust logging, and explicit rollback plans will gain the most benefit while keeping risk controlled.
For Insiders: toggle on “Get the latest updates as soon as they’re available” if you want early visibility, but proceed with care on machines that host critical data or multi‑monitor docking setups. For defenders and administrators: plan Sysmon pilots, update SIEM ingestion rules, and coordinate with endpoint management teams before enabling on fleets. The build advances host visibility and day‑to‑day polish, but the preview nature of many of its features means cautious, measured evaluation is the responsible path forward.

---

---

Source: Microsoft - Windows Insiders Blog Announcing Windows 11 Insider Preview Build 26220.7752 (Beta Channel)