Pivotal Application Service for Windows v2.7 Release Notes

This topic contains release notes for Pivotal Application Service for Windows.

How to Upgrade

The Pivotal Application Service for Windows v2.7 tile is available with the release of Pivotal Platform v2.7. To use the Pivotal Application Service for Windows v2.7 tile, you must install Ops Manager v2.7 or later and PAS v2.7 or later. For more information, see .



Release Date: 10/16/2019

  • [Security Fix] Bump Go to address CVE-2019-16276
  • [Bug Fix] Increase task result file size to ensure apps with very long start commands stage successfully
  • Bump diego to version 2.36.5
  • Bump loggregator-agent to version 3.21.3
  • Bump loggregator to version 105.6.1
  • Bump windowsfs-release to version 2.1.0
Component Version
windows2019 stemcell2019.11


Release Date: 10/08/2019

  • [Security Fix] Use envoy-nginx-release v0.6.0 to address HTTP2 vulnerabilities
  • [Security Fix] Upgrade Diego Components to Use grpc v1.23.0 and Go 1.12.9 to Fix HTTP2 CVEs
  • [Security Fix] Bump garden-runc release to take Go HTTP/2 and containerd gRPC fixes
  • [Feature Improvement] Docker image applications hosted in AWS ECR continue to run when restarted after the typical AWS ECR credential expiration period
  • [Bug Fix] Tag system containers with network.healthcheck so that 3rd party networking plugins can ignore them.
  • Bump windows2019 stemcell to version 2019.11
  • Bump diego to version 2.36.4
  • Bump envoy-nginx to version 0.6.0
  • Bump garden-runc to version 1.19.7
  • Bump winc to version 2.0.0
  • Bump windowsfs-release to version 2.0.0
Component Version
windows2019 stemcell2019.11


Breaking Change: Platform engineers can no longer enable/disable RDP in PASW.

  • [Feature] Enable TLS connections from Router to Windows Applications [Beta]
  • [Feature Improvement] Add the ciphers configuration to envoy-nginx-release
  • [Feature Improvement] Windows Smoke Tests Errand uses windows stack instead of windows2016.
  • [Feature Improvement] Apps provided 10 seconds to gracefully shutdown
  • [Feature Improvement] Agent-based syslog egress is enabled by default
  • [Security Fix] Introduce and trust new Diego “root CA” in advance of existing CA expiration
  • [Bug Fix] Loggregator agent runs out of file descriptors causing windows diego cells to be unreachable
  • [Feature] Improve scalability of application syslog drain system with new syslog agent architecture
  • [Bug Fix] Fix various syslog drain bugs in the Syslog Agent
  • Bump windows2019 stemcell to version 2019.9
  • Bump cf-windows-smoke-tests to version 40.0.119
  • Bump diego to version 2.36.0
  • Bump envoy-nginx to version 0.5.0
  • Bump garden-runc to version 1.19.5
  • Bump hwc-offline-buildpack to version 3.1.10
  • Bump loggregator-agent to version 3.21
  • Bump loggregator to version 105.6
  • Bump winc to version 1.14.0
  • Bump windows-utilities to version 0.13.0
  • Bump windowsfs-release to version 1.8.0
Component Version
windows2019 stemcell2019.9

New Features in Pivotal Application Service for Windows v2.7

Pivotal Application Service for Windows v2.7 includes the following major features:

Deprecation of the windows2016 Stack

You should migrate any apps that run on the windows2016 stack to the windows stack.

You can migrate your apps from windows2016 to windows using Stack Auditor, a Cloud Foundry CLI plugin. For more information, see Using the Stack Auditor Plugin.

Pre-Installed Visual C++ Redistributables

Pivotal Application Service for Windows v2.7 includes pre-installed Microsoft Visual C++ Redistributables for Visual Studio 2010, 2015, 2017 and 2019. This change is backported to Pivotal Application Service for Windows v2.2.

This update improves the developer experience by making VisualC++ Redistributables readily available for .NET apps. Developers no longer have to manually bin deploy to reference C++ or C++ based libraries.

Agent-Based Syslog Egress Is Enabled by Default

Pivotal Application Service for Windows v2.7 contains Syslog Agent, an agent that forwards logs to configured syslog drains and Loggregator. Syslog Agent is enabled by default, and the option to enable or disable syslog egress is removed from the PAS UI.

Additionally, the instance groups syslog_adapter and syslog_scheduler, and the property syslog_metrics_to_syslog_enabled are removed, as agent-based syslog egress removes the need for VMs dedicated to syslog drains.

For more information about how Syslog Agent functions within Loggregator, see Loggregator Architecture and the loggregator-agent-release repository on GitHub.

RDP Support Removed in Favor of BOSH SSH

Warning: This feature is a breaking change. See RDP is Not Supported in Pivotal Platform v2.7 Breaking Changes.

The Enable Remote Desktop Protocol field is removed from the PASW tile. PASW VMs do not support connection through RDP.

This is part of a larger effort to achieve platform parity with Linux VMs by enabling bosh ssh for all actions related to the Windows VMs.

To access Windows VMs, use bosh ssh. To enable bosh ssh for Windows VM, select Enable BOSH-native SSH support on all VMs in the PASW tile.

For more information, see the Configure VMs section in Installing and Configuring PASW.

New Advanced Features

The Advanced Features pane of the Pivotal Application Service for Windows tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

Pivotal Application Service for Windows v2.7 includes the following advanced features:

(Beta) Enable TLS Connections From Router to Apps

You can enable TLS connections from the router to apps. This feature is available in the Pivotal Application Service for Windows tile under Advanced Features.

You can select three different options to add route integrity and mTLS (mutual TLS):

  • Disable route integrity and mutual TLS (Default): This beta feature is disabled by default.
  • Router uses TLS to verify application identity: This enables route integrity for your apps but not mTLS.
  • Router and applications use mutual TLS to verify each other’s identity (incompatible with TCP Routing): This option enables both route integrity and mTLS.

Note: This beta feature checks only that the client certificate is signed by the expected CA using mTLS. It does not include Subject Alternative Name (SAN) checks of the presented client certificates.