Back to Intelligence

Windows Server 2022 Mainstream Support Ends: Asset Discovery and Migration Strategy

SA
Security Arsenal Team
July 18, 2026
5 min read

Microsoft has officially announced that Windows Server 2022 will reach its Mainstream Support end date in October 2026. While this transition does not immediately halt security updates—systems will move to Extended Support for five additional years—it marks a critical inflection point for enterprise infrastructure strategy.

For security practitioners, this is the trigger event to initiate comprehensive lifecycle audits. The next 90 days are the optimal window to identify every Windows Server 2022 instance in your environment before it transitions to a maintenance tier that lacks design changes, non-security hotfix support, and complimentary incident support. Failing to inventory these assets now creates a "technical debt" time bomb that will collide with the End of Support (EOS) deadline in 2031.

Technical Analysis

Affected Product: Windows Server 2022 (Standard, Datacenter, Datacenter: Azure Edition)

Build Number: 10.0.20348

Timeline Impact:

  • October 14, 2026: End of Mainstream Support. Transition to Extended Support (Security Updates only).
  • October 14, 2031: End of Extended Support. All security updates cease.

Defensive Risk Profile: While the immediate vulnerability surface does not expand due to a CVE, the operational risk increases significantly. Under Extended Support, Microsoft will not provide:

  1. Non-Security Updates: Requests for hotfixes for stability or compatibility issues will likely require a paid support agreement and may be denied if not security-critical.
  2. Design Changes: No new features or architectural adjustments.

From a threat-hunting perspective, the "threat" here is the gradual loss of compatibility with modern security agents and the potential for missed patching events as the OS ages. The primary defensive objective right now is Asset Visibility. You cannot secure what you cannot map.

Detection & Response

As this is a lifecycle management event, the focus of detection is Asset Discovery. Security teams must hunt for instances of Windows Server 2022 to flag them for the migration queue. The following rules and queries identify the specific build number (20348) and OS strings associated with this version.

SIGMA Rules

YAML
---
title: Potential Windows Server 2022 Host Identification via Registry
id: 45e8a2b1-1f3d-4c5e-9b6a-7d8e9f0a1b2c
status: experimental
description: Detects registry access or modifications that reveal the OS as Windows Server 2022 (Build 20348). This helps in identifying assets during lifecycle audits.
references:
  - https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2022
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.discovery
  - attack.t1082
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    Details|contains:
      - 'Windows Server 2022'
      - '10.0.20348'
  condition: selection
falsepositives:
  - Legitimate administrative tasks or inventory scripts
level: low
---
title: Windows Server 2022 System Information Discovery
id: 1c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects execution of native system discovery commands often used to identify OS versions during inventory checks.
references:
  - https://attack.mitre.org/techniques/T1082/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.discovery
  - attack.t1082
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\systeminfo.exe'
      - '\wmic.exe'
    CommandLine|contains:
      - 'os get'
      - 'Caption'
  condition: selection
falsepositives:
  - System administrators, automated inventory tools
level: low

KQL (Microsoft Sentinel / Defender)

This query hunts for devices reporting the specific OS version or build number associated with Windows Server 2022.

KQL — Microsoft Sentinel / Defender
DeviceInfo
| where OSPlatform == "Windows"
| extend OSDetail = iff(OSVersion contains "20348", "WinSrv2022", "Other")
| where OSDetail == "WinSrv2022"
| project DeviceName, OSVersion, LastSeen, AadDeviceId, IpAddress
| sort by LastSeen desc

Velociraptor VQL

Use this artifact to query the registry directly on endpoints to confirm the OS version and Product Name.

VQL — Velociraptor
-- Hunt for Windows Server 2022 instances
SELECT
  Fqdn,
  OSVersion,
  read_reg_key(path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName") as ProductName,
  read_reg_key(path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild") as BuildNumber
FROM info()
WHERE ProductName =~ "Windows Server 2022" OR BuildNumber = "20348"

Remediation Script (PowerShell)

This script audits the local system to determine if it is Windows Server 2022 and outputs a status recommendation.

PowerShell
# Audit Script for Windows Server 2022 Lifecycle Status
$CurrentBuild = [System.Environment]::OSVersion.Version.Build
$ProductName = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").ProductName

Write-Host "Auditing System for Windows Server 2022..." -ForegroundColor Cyan
Write-Host "Detected OS: $ProductName (Build $CurrentBuild)"

if ($ProductName -like "*Windows Server 2022*") {
    Write-Host "[ACTION REQUIRED] This system is Windows Server 2022." -ForegroundColor Red
    Write-Host "Mainstream Support ends October 2026. Initiate migration to Windows Server 2025 or move to Azure." -ForegroundColor Yellow
    # Exit code for automation pipelines
    exit 1
} else {
    Write-Host "[COMPLIANT] System is not affected by the Windows Server 2022 lifecycle event." -ForegroundColor Green
    exit 0
}

Remediation

  1. Execute Asset Inventory: Run the detection queries above immediately. Generate a list of all physical and virtual machines running Windows Server 2022 (Build 20348).
  2. Categorize by Risk: Identify servers holding sensitive data (PCI-DSS, HIPAA) or critical infrastructure roles (Domain Controllers, SCADA interfaces). These take priority.
  3. Initiate Migration Planning:
    • Target State: Windows Server 2025.
    • Alternative: Migrate workloads to Azure IaaS (Windows Server 2026/2031 equivalent).
  4. Review Licensing: Confirm your volume licensing agreements cover Extended Support updates if you intend to stay on Server 2022 past October 2026. While security updates are generally available, ensure there are no compliance gaps regarding support tiers.
  5. Update CMDB: Tag all identified servers in your Configuration Management Database (e.g., ServiceNow) with an "End of Mainstream Support - 2026" tag to trigger automated workflow notifications for patching and replacement.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurewindows-server-2022microsoftlifecycle-managementend-of-supportvulnerability-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.