Stemcell v2019.x (Windows Server version 2019) Release Notes
This topic includes release notes for Windows stemcells used with Pivotal Application Service for Windows (PASW) v2.5, v2.6, v2.7, and v2.8.
The stemcell is based on Windows Server, version 2019.
To download a stemcell, see Stemcells for Ops Manager (Windows) on Pivotal Network.
Release Date: February 14th, 2020
- Includes the February 11, 2020—KB4532691 Microsoft Security Updates Patch. See February 11, 2020—KB4532691.
- Supports signed URL capability. If Windows users opt in, the BOSH agent manages artifacts on the blobstore using signed URLs rather than blobstore credentials. For more information on how to opt in to signed URLs, see Signed URLs in the Cloud Foundry BOSH documentation.
stembuildvalidates the VM OS is Windows Server 2019, OS build 17763. This is the only OS version that stembuild v2019.x is compatible with.
- Fixed a bug where
stembuild constructdid not execute successfully if it could not fetch updated root certificates from the public Windows Update Server.
Note: You must manually update your certificates if your VM does not have access to the public Windows Update Server.
- Fixed a bug that tried to validate your VM credentials before connecting to the VM via WinRM.
For more information on the original validation bug, see “Validating connection to vm…” step fails during stembuild construct for Stembuild v2019.15
in the Pivotal Knowledge Base.
Note: There is no Windows stemcell v2019.16.
Release Date: January 18, 2020
- Includes Microsoft Security Updates Patch Tuesday January 2020. This release includes fixes for CVE-2020-0601.
stembuild constructmay fail when it validates the connection to the VM. This is caused by the WinRM configuration. For more information about the specific symptoms and recommended temporary workaround for this issue, see “Validating connection to vm…” step fails during stembuild construct for Stembuild v2019.15.
Note: The feature to update root certificates in stembuild-built stemcells released in 2019.14 requires internet connection to the Windows Updates Server to complete successfully.
Release Date: December 16, 2019
- Updated stembuild to always use the latest version of OpenSSH (8.0.0-p1-beta as of this release)
- Root certificates on machines deployed using stembuild-built stemcells get updated certificates from the Windows Updates Server
Release Date: November 22, 2019
- Added logging and exit code to
stembuild constructto allow users to see the progress of the command and know whether it has completed preparing the VM for packaging
- Added retry behavior for the file rename operation in the compilation VM to reduce risk of compilation failure due to custom antivirus installations in the base image
Release Date: October 10, 2019
- Added a flag to
stembuild packageto allow user to specify patch version for the stemcell .tgz output
- Aligned Internet Explorer-based policies in stemcells built using stembuild with Microsoft Baseline Security Standard
- Fixed a bug where
stembuild constructwas failing to execute with a DISM error
Note: Do not use
stembuild-2019.11 because it will fail on
stembuild construct. Use
Release Date: September 26, 2019
- Enabled the Hyper-V Windows feature for enabling Windows 2019 stemcells built using stembuild
- Improved security hardening of Windows stemcells by aligning Internet Explorer-based policies with the Microsoft Baseline Security Standard
- Fixed a bug that left user directories on the target machines after a user had terminated a BOSH SSH connection into that machine:
.sshdirectory and all normal files in the home directory that may have been created during the SSH session.
- Not deleted:
.datfiles loaded as part of the registry hive when a user logs in. Files will exist with file locks until the next VM reboot.
Note: There is no Windows stemcell v2019.10.
Release Date: August 27, 2019
- Includes Microsoft Security Updates Patch Tuesday August 2019
- Aligned a set of audit policies on the stemcells based on Microsoft Baseline Security Standard
- Introduced a new feature in
stembuild constructcommand to validate/invalidate the OS based on stembuild version.
Release Date: July 23, 2019
- Includes Microsoft Security Updates Patch Tuesday July 2019
- Windows Defender is installed but disabled on all stemcells.
Release Date: July 1, 2019
- Key improvements in stembuild with features such as SSH enable-by-default for deployed Windows VMs on vSphere and security fixes.
- Enabled the Hyper-V Windows feature for enabling Windows in PKS and NSX-T compatibility with Windows teams.
Release Date: June 19, 2019
- Includes Microsoft Security Updates June 11, 2019—KB4503327
- Introduces 22.214.171.124 (L1) and 1.1.1 (L1) CIS L1 policy hardenings based on the CIS Security Benchmark.
Release Date: May 30, 2019
- Based on Microsoft’s guidance, additional fixes to protect against speculative execution side-channel vulnerabilities
Release Date: May 22, 2019
- Platform Engineers can deploy Windows Stemcells on a BOSH Director with Google Cloud Storage as their external Blobstore.
- Improved Troubleshooting of Windows VMs, with ssh enabled by default for all Windows VMs. You can still disable SSH in the PASW tile.
- Includes Microsoft Security Updates to protect against Microarchitectural Data Sampling side-channel vulnerabilities. For more information, see May 14, 2019—KB4494441 (OS Build 17763.503) in the Windows support documentation.
Release Date: April 25, 2019
- This is the first 2019 stemcell.
- Includes Microsoft Security Updates Patch Tuesday April 2019