Metricbeat system modules reports Windows 11 as Windows 10

[cmacknz]

When running on Windows 11 the system module will report the running Windows version as Windows 10.

This was noticed as the endpoint security integration correctly identifies Windows 11 when agent is running on that operating system with both endpoint security and the system integration:

Endpoint Security:

      "os": {
        "Ext": {
          "variant": "Windows 11 Home"
        },
        "kernel": "21H2 (10.0.22000.556)",
        "name": "Windows",
        "family": "windows",
        "type": "windows",
        "version": "21H2 (10.0.22000.556)",
        "platform": "windows",
        "full": "Windows 11 Home 21H2 (10.0.22000.556)"
      },

System:

      "os": {
        "build": "22000.556",
        "kernel": "10.0.22000.556 (WinBuild.160101.0800)",
        "name": "Windows 10 Home",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },

We are reporting the value from reading the SOFTWARE\Microsoft\Windows NT\CurrentVersion registry key exactly as read:

https://github.com/elastic/go-sysinfo/blob/bef435f84e9706a7c8fff908b5e54b984f98ca3b/providers/windows/os_windows.go#L33

The product name wasn't updated by Microsoft between the two products and the system integration isn't looking at anything else that allows distinguishing Windows 10 from Windows 11 like Endpoint is.

There are some related answers in the Microsoft support forums confirming the situation:

• https://docs.microsoft.com/en-us/answers/questions/555857/windows-11-product-name-in-registry.html?page=1&pageSize=10&sort=oldest
• https://docs.microsoft.com/en-us/answers/questions/586619/windows-11-build-ver-is-still-10022000194.html

This is a bug in that the system integration hasn't accounted for this problem yet.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[ph]

upstream issue elastic/go-sysinfo#118