Windows Stemcell Hardening

Page last updated:

This topic provides information about the security hardening of Windows stemcells.


A stemcell is a versioned OS image that is customized based on IaaS. A typical stemcell contains the OS image with common utilities, a BOSH agent, and configuration files to securely configure the OS.

Stemcell hardening is the process of securing a stemcell by reducing its surface of vulnerability. The surface of vulnerability for a stemcell is larger when a system performs more functions. For example, a single-function system is more secure than a multipurpose one.

Microsoft Baseline Security Standard

Windows Stemcells for both Pivotal Application Service (PAS) and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) follow the Microsoft Baseline Security Standard.

Note: Windows stemcells do not yet align completely with the Microsoft Baseline Security Standard. For details about the ways in which Windows stemcell hardening differs from the Microsoft Baseline Security Standard, contact Pivotal at

For more information about Microsoft Baseline Security Standard and to download security configuration baselines for Windows, see Microsoft Security Compliance Toolkit on the Microsoft website.

Audit Policies

Audit policies for Windows Server 2019 stemcells are based off Microsoft Baseline Security Standard. Audit policies allow you to better audit security vulnerabilities in your environment.

The following list includes some of the key audit policies applied to Windows Server 2019 stemcells:

  • Log success and failure audit events of user logins and logouts for Windows VMs.

  • Log audit events related to object access on Windows VMs.

  • Log audit events related to policy changes on Windows VMs.

For more information about audit policies that apply to Windows stemcells, see Microsoft Baseline Security Standard.