What the new Windows 11 Canary Build 28020.1611 actually adds (and why you might care)
The latest Canary drop brings two noticeable tweaks: a native Sysmon feature that finally lives inside Windows, and a modest overhaul of the Share pane for OneDrive links. The build also fixes the infamous watermark that has been showing the wrong number for weeks.
Built‑in Sysmon: native event logging without the extra download
Sysmon has been a staple of the Sysinternals toolbox for years, but it always required a manual install and a separate configuration file. This preview makes the feature part of the OS, hidden behind an optional‑feature toggle. The idea is simple – let security tools pull the same rich process‑creation data from the standard event log instead of hunting down a third‑party binary.
Enabling it isn’t magic; you still have to turn the feature on in Settings under System → Optional features → More Windows features, then tick Sysmon. Alternatively, run the DISM command Dism /Online /Enable-Feature /FeatureName:Sysmon. After that, a quick sysmon -i from an elevated prompt finishes the setup.
If a previous Sysmon installation exists, it must be removed first – the built‑in version won’t coexist with the older copy. That extra step feels like a leftover of the transition period and could trip newcomers who assume “just enable it”.
Why bother? For anyone running Windows Defender Advanced Threat Protection or a similar EDR, the native logs mean one less moving part to manage. The events themselves haven’t changed; you still get process hashes, parent‑child relationships, network connections, and so on. In practice, the biggest win is consistency – no more guessing whether a Sysmon service is from Microsoft or a third‑party download.
OneDrive sharing gets a Windows Share tweak
Right‑click → Share on a OneDrive file used to pop up a tiny dialog with a single “Copy link” button. The new build adds a small row of icons under the “Share using” label once that button is pressed. Those icons represent whatever apps are registered for handling URLs – Teams, Outlook, Slack, you name it.
The change rolls out only to Insiders signed into a Microsoft account outside the EEA, so most users in Europe won’t see it yet. It’s a tiny quality‑of‑life improvement that cuts down on an extra paste step. In real‑world testing, a user who frequently sends files to coworkers via Teams noticed the workflow shrank from three clicks to two.
There’s no deep under‑the‑hood overhaul here; it’s just a UI tweak that aligns OneDrive sharing with how other Windows share targets work. If you’re already comfortable dragging links into chat windows, the new icons might feel like an unnecessary garnish, but for those who rely on the Share pane as their primary file‑distribution method, it eliminates a minor annoyance.
Watermark finally shows the right number
The most visible bug in recent builds has been the desktop watermark stubbornly displaying an older build number. This preview corrects that oversight, so the little “28020” tag now matches what the system actually reports. It’s not a feature that changes how Windows works, but it does stop the confusion when screenshots are posted to forums and people ask why the numbers don’t line up.
Bottom line
The Canary build isn’t a massive overhaul; it’s more of a polish round with a couple of functional additions. Native Sysmon could streamline security logging for power users who already trust Microsoft’s event pipeline, while the OneDrive share tweak trims a few clicks for people who live in the Share pane. And at least the watermark finally stopped pretending to be something it isn’t.
Announcing Windows 11 Insider Preview Build 28020.1611 (Canary Channel)
Hello Windows Insiders, today we are releasing Windows 11 Insider Preview Build 28020.1611 to the Canary Channel.
Announcing Windows 11 Insider Preview Build 28020.1611 (Canary Channel)
