windows-stemcell-v1200x.html.md.erb

---
title: Stemcell v1200.x (Windows 2012R2) Release Notes
owner: Windows
---

This topic includes release notes for Windows stemcells used with Pivotal Application Service (PAS) for Windows 2012R2.

To download a stemcell, see [Stemcells for PCF (Windows)](https://network.pivotal.io/products/stemcells-windows-server) on Pivotal Network. 

## <a id="1200.31"></a>1200.31

### Features

- Includes [March 2019 Microsoft Security Updates](https://support.microsoft.com/en-us/help/4489883).

### Bug Fix

- Disabled additional configuration related to NetBios. See the Pivotal Tracker [story](https://www.pivotaltracker.com/story/show/163772249). 

## <a id="1200.30"></a>1200.30

### Features

- Includes [February 2019 Microsoft Security Updates](https://support.microsoft.com/en-us/help/4487028).

## <a id="1200.29"></a>1200.29

### Bug Fix

- Symlinks in 2012R2 were not getting cleaned up properly, causing issues with BOSH DNS. This bug was blocking an urgent release of BOSH DNS due to a [GoLang CVE](https://www.pivotaltracker.com/story/show/163153521). This issue is resolved.

## <a id="1200.28"></a>1200.28

### Features

- Intended for use with [January 2019 Microsoft Security Updates](https://support.microsoft.com/en-us/help/4480964).


## <a id="1200.27"></a>1200.27

### Features

- Intended for use with [December 2018 Microsoft Security Updates](https://support.microsoft.com/en-us/help/4471320/windows-8-1-update-kb4471320).

## <a id="1200.26"></a>1200.26

### Features

- Intended for use with [November 2018 Patch Tuesday Updates from Microsoft](https://support.microsoft.com/en-us/help/4467697/windows-8-1-update-kb4467697)

## <a id="1200.25"></a>1200.25

### Features

- Intended for use with [October 2018 Microsoft Security Updates](https://support.microsoft.com/en-us/help/4462941/windows-8-update-kb4462941).
- To ensure a consistent runtime for our users, we now manage the version of PowerShell for 2012R2. We upgraded the PowerShell version to v5.1 in this release.

### Bug Fix

- Intermittent "Access denied" errors during compilation phase of PAS-W deployments. We have added a fix to potentially resolve them.

## <a id="1200.24"></a>1200.24
		
**Release Date**: September 24, 2018

### Features

- Intended for use with [September 2018](https://support.microsoft.com/en-us/help/4457143) Microsoft Security Updates.

### Bug Fix

- Previously, the `os_version` argument was mandatory during the `Invoke-Sysprep` step.
The OS is now detected by default, and the `os_version` argument is optional.

## <a id="1200.23"></a>1200.23
		
**Release Date**: August 27, 2018

### Features

- Intended for use with the [August 2018](https://support.microsoft.com/en-us/help/4343898/windows-81-update-kb4343898) Microsoft Security Updates. 
- Includes an important Microsoft Security Update that provides protections  against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF). For more information, see [Windows Support](https://support.microsoft.com/en-us/help/4343897/windows-10-update-kb4343897).
- Compatible with the latest stable OpenSSH version, OpenSSH_for_Windows_v7.7.2.0p1-Beta. This version fixed the issue of OpenSSH logs filling up the disk.

### Security Update

* Disabled use of TLS 1.0 by SSL/TLS server and client.
* Disabled RC4 and DCOM.
* Disabled triple-DES cipher to mitigate against Sweet32: Birthday attacks on 64-bit block ciphers in TLS. 

## <a id="1200.22"></a>1200.22
		
**Release Date**: August 9, 2018

* Intended for use with the [July 2018](https://support.microsoft.com/en-us/help/4338831/july172018kb4338831osbuildpreviewofmonthlyrollup) Microsoft security updates.
* Intended for use with the [Security and Quality Rollup updates for .NET Framework](https://support.microsoft.com/en-us/help/4338419/description-of-the-security-and-quality-rollup-updates-for-net-framewo).
* **Bug Fix**: Previously, when operators selected the **Encrypt Linux EBS Volumes** checkbox in the IaaS-specific configuration section of the BOSH Director tile, the deployment of PAS for Windows would fail. This release enables operators to select the **Encrypt Linux EBS Volumes** checkbox without the deployment of PAS for Windows failing. However, only Linux VMs will be encrypted, not Windows VMs.

## <a id="1200.21"></a>1200.21
		
**Release Date**: July 9, 2018

* Intended for use with [June 2018](https://support.microsoft.com/en-us/help/4103727/windows-10-update-kb4103727) Microsoft security updates. 
* Includes [CIS MS-L1 v2.2.1](https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf) security hardening for the public IaaSes (Azure, AWS and GCP)

## <a id="1200.19"></a>1200.19
		
**Release Date**: June 1, 2018

* **Bug Fix**: Includes a fix to support syncing as stated by Microsoft even when the time is drastically off.

## <a id="1200.18"></a>1200.18
		
**Release Date**: May 18, 2018

* Intended for use with [May 2018](https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/a82328f9-1f26-e811-a968-000d3a33a34d) Microsoft security updates. 

## <a id="1200.17"></a>1200.17
		
**Release Date**: May 8, 2018

* Intended for use with [April 2018](https://support.microsoft.com/en-us/help/4093121/windows-81-update-kb4093121) Microsoft security updates.
* Fixed a security issue.
* Includes fixes for these security updates from Microsoft:
    * Microsoft Internet Explorer Cumulative Security Update (MS15-124)
    * Microsoft Internet Explorer Security Update for September 2017
    * Microsoft Windows CredSSP updates for March 2018
* Disabled root disk resizing and provided larger root disks by default. For more information, see [Using Windows Stemcells](https://docs.pivotal.io/pivotalcf/2-1/windows2012r2/about-windows-stemcells.html).

## <a id="1200.16"></a>1200.16
		
**Release Date**: March 26, 2018

* Increases Windows service start timeout. For more information, see the following Pivotal Tracker Story: [https://www.pivotaltracker.com/story/show/154808080](https://www.pivotaltracker.com/story/show/154808080). 
* This stemcell is intended for use with the following:
	* March 2018 Microsoft security updates.
	* <a href="https://support.microsoft.com/en-gb/help/4056898/windows-81-update-kb4056898">KB4056898</a>, which includes security improvements that address <a href="https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution">speculative execution side-channel vulnerabilities</a>. See Microsoft's <a href="https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898">Known Issues</a> for this patch.
* For vSphere, you must install the patch manually because it was not available through Windows Update when the patch was initially shipped. In addition, you must manually enable the patch. See <a href="https://github.com/cloudfoundry-incubator/bosh-windows-stemcell-builder/wiki/Creating-a-vSphere-Stemcell-by-Hand">Creating a vSphere Stemcell by Hand</a> for information about installing the patch.

## <a id="1200.15"></a>1200.15
		
**Release Date**: February 21, 2018

* This stemcell is intended for use with the following:
	* February 2018 Microsoft security updates.
	* <a href="https://support.microsoft.com/en-gb/help/4056898/windows-81-update-kb4056898">KB4056898</a>, which includes security improvements that address <a href="https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution">speculative execution side-channel vulnerabilities</a>. See Microsoft's <a href="https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898">Known Issues</a> for this patch.
* For vSphere, you must install the patch manually because it was not available through Windows Update when the patch was initially shipped. In addition, you must manually enable the patch. See <a href="https://github.com/cloudfoundry-incubator/bosh-windows-stemcell-builder/wiki/Creating-a-vSphere-Stemcell-by-Hand">Creating a vSphere Stemcell by Hand</a> for information about installing the patch.

## <a id="1200.14"></a>1200.14

**Release Date**: February 13, 2018

* Mitigates <a href="https://www.cloudfoundry.org/blog/cve-2018-1197">CVE-2018-1197: GCP Metadata Endpoint Accessible from Application Containers on Windows</a>
* [Bug Fix] Fixes issue with OpenSSH 0.0.24
* This stemcell is intended for use with <a href="https://support.microsoft.com/en-gb/help/4056898/windows-81-update-kb4056898">KB4056898</a>, which includes security improvements that address <a href="https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution">speculative execution side-channel vulnerabilities</a>. See Microsoft's <a href="https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898">Known Issues</a> for this patch.
* For vSphere, you must install the patch manually because it was not available through Windows Update when the patch was initially shipped. In addition, you must manually enable the patch. See <a href="https://github.com/cloudfoundry-incubator/bosh-windows-stemcell-builder/wiki/Creating-a-vSphere-Stemcell-by-Hand">Creating a vSphere Stemcell by Hand</a> for information about installing the patch.

## <a id="1200.13"></a>1200.13

**Release Date**: January 17, 2018

* This stemcell is intended for use with <a href="https://support.microsoft.com/en-gb/help/4056898/windows-81-update-kb4056898">KB4056898</a>, which includes security improvements that address <a href="https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution">speculative execution side-channel vulnerabilities</a>. See Microsoft's <a href="https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898">Known Issues</a> for this patch.
* For vSphere, you must install the patch manually because it was not available through Windows Update when the patch was initially shipped. In addition, you must manually enable the patch. See <a href="https://github.com/cloudfoundry-incubator/bosh-windows-stemcell-builder/wiki/Creating-a-vSphere-Stemcell-by-Hand">Creating a vSphere Stemcell by Hand</a> for information about installing the patch.

## <a id="1200.11"></a>1200.11

**Release Date**: December 22, 2017

* For Azure, GCP, and AWS Windows Stemcells, the root disk (C Drive) will be automatically resized on creation to the disk size specified in BOSH cloud config. Due to current CPI limitations, vSphere Stemcells are NOT able to resize their root disk on creation.
* Intended for use with December Microsoft security updates.

## <a id="1200.10"></a>1200.10

**Release Date**: December 19, 2017

* You must use <a href="https://github.com/pivotal-cf-experimental/stembuild/releases/tag/0.13">stembuild version 0.13</a> when creating a 1200.10 stemcell by hand.
* AWS stemcells repartition to use entire root disk size as specified in BOSH cloud config.
* Stemcell adds support for multiple CPIs. You can now set `stemcell_formats` in stemcell.MF.
* Intended for use with November Microsoft security updates.
* Updated OpenSSH to 0.0.22.
* The BOSH Agent uses a lock file to ensure that DNS resolvers are updated only on first startup.

## <a id="1200.8"></a>1200.8

**Release Date**: November 10, 2017

* BOSH Agent: Disables port 5985 for WinRM by default.
* [Bug Fix] Fixes an issue where an empty cloud config would remove all DNS resolvers from a Windows host.
* [Bug Fix] Fix for IPsec add-on.

### Known Issues
* File `updates.txt` is not generated for 2016/1709 stemcells.

## <a id="1200.7"></a>1200.7

**Release Date**: October 23, 2017

* [Bug Fix] BOSH Agent timeout fix for high ESX workload scenarios.
* Intended for 2017 Oct Windows Updates roll-up (KB4041685).

## <a id="1200.6"></a>1200.6

**Release Date**: October 18, 2017

* [Security Improvement] Includes [CIS MS-L1 v2.2.1](https://www.cisecurity.org/cis-benchmarks/) security hardening.
* [Security Improvement] The security policies disable RDP by default. To enable RDP, use the `enable_rdp` job in the [windows-utilities-release](https://github.com/cloudfoundry-incubator/windows-utilities-release) (version 0.4.0 or greater).
* [Bug Fix] Fixes an issue in the BOSH Agent regarding DNS resolvers that can cause application downtime when a BOSH Director is unavailable (e.g. during upgrades) when deployed on Cloud Foundry.

### Known Issues
* In the case of an empty cloud config, the Windows host DNS list will be cleared on BOSH Agent restarts.
* CIS policies break the IPsec add-on.

## <a id="1200.5"></a>1200.5

**Release Date**: October 11, 2017

* Install-CFFeatures is now Install-CFFeatures2012.
* [Security Improvement] BOSH Agent randomizes password for Administrator user on bootup. To set the password, use the `set_password` job in the [windows-utilities-release](https://github.com/cloudfoundry-incubator/windows-utilities-release).
* Removes Windows Defender for all IaaSes in Windows Server 2016/1709.
* [Improvement] No longer installs Docker on Windows 2016/1709.

## <a id="1200.4"></a>1200.4

**Release Date**: September 14, 2017

* The BOSH-Agent now disables automatic updates during its bootstrap process.
* Do not remove Powershell-ISE when building stemcell.
* Added better error checking when applying group policies.
* Intended for 2017 Sep Windows Updates roll-up.
* Sets smaller MTU of network interfaces created by Docker on GCP for Windows 2016.
* Skip sysprep until official Windows 1709 build is available due to bug in insider build.

## <a id="1200.3"></a>1200.3

**Release Date**: August 22, 2017

* Agent backs off exponentially when unable to reach the director, moving from 5 seconds to 160 seconds over 6 connection attempts, to reduce the impact on small-footprint BOSH VMs. This resolves BOSH Agent [Open Issue #137](https://github.com/cloudfoundry/bosh-agent/issues/137).
* BOSH SSH is now supported as a beta feature. Users can enable connecting to a cmd session using the `bosh ssh` command by running the relevant job from windows-utilities-release.
* Fixed an issue where jobs were being stopped synchronously rather than concurrently, preventing stop scripts that waited on other stop scripts from ever finishing.
* Fixed an issue where jobs that failed to start on the first attempt weren't being retried.
* Other minor bug fixes and performance improvements.

## <a id="1200.0"></a>1200.0

**Release Date**: July 14, 2017

* Includes July 2017 Windows Security Updates.
* Fixes an error where Windows stemcells were incompatible with bosh director setting 'enable\_nats\_delivered\_templates' set to true.
* Fixed startup issue on GCP.
* Fixed issue where the Windows Agent would reset DNS settings whenever the HTTPMetadataService was invoked on AWS.
* Upgrades included .NET version to 4.7.

## <a id="1079.0"></a>1079.0

**Release Date**: June 5, 2017

* Based on Windows Server 2012R2.
* Includes .NET Framework 4.6.1.
* Available for AWS, GCP, and Azure.
* Includes all Windows Updates and security patches up through April 2017.
* To be used with Pivotal Cloud Foundry (PCF) Runtime for Windows v1.9.3+, v1.10.2+, and v1.11.0.

## <a id="1056.1"></a>1056.1

**Release Date**: June 1, 2017

* Based on Windows Server 2012R2.
* Includes .NET Framework 4.6.1.
* Available for AWS, GCP, and Azure.
* Includes all Windows Updates and security patches up through March 2017.
* To be used with Pivotal Cloud Foundry (PCF) Runtime for Windows v1.9.0, v1.9.1, v1.9.2, v1.10.0, v1.10.1.

## <a id="1056.0"></a>1056.0

**Release Date**: April 5, 2017

* Based on Windows Server 2012R2.
* Includes .NET Framework 4.6.1.
* Available for AWS, GCP, and Azure.
* Includes all Windows Updates and security patches up through March 2017.
* To be used with Pivotal Cloud Foundry (PCF) Runtime for Windows v1.9.0, v1.9.1, v1.9.2, v1.10.0, v1.10.1.

### Known Limitations

* Does not support BOSH SSH or persistent disks.