This topic provides information about the security hardening of Windows stemcells.


A stemcell is a versioned OS image that is customized based on IaaS. A typical stemcell contains the OS image with common utilities, a BOSH agent, and configuration files to securely configure the OS.

Stemcell hardening is the process of securing a stemcell by reducing its surface of vulnerability. The surface of vulnerability for a stemcell is larger when a system performs more functions. For example, a single-function system is more secure than a multipurpose one.

Microsoft Baseline Security Standard

Windows Stemcells for both VMware Tanzu Application Service for VMs (TAS for VMs) and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) follow the Microsoft Baseline Security Standard.

Note: Windows stemcells do not yet align completely with the Microsoft Baseline Security Standard. For details about the ways in which Windows stemcell hardening differs from the Microsoft Baseline Security Standard, contact VMware at

For more information about Microsoft Baseline Security Standard and to download security configuration baselines for Windows, see Microsoft Security Compliance Toolkit on the Microsoft website.

Audit Policies

Audit policies for Windows Server 2019 stemcells are based off Microsoft Baseline Security Standard. Audit policies allow you to better audit security vulnerabilities in your environment.

The following list includes some of the key audit policies applied to Windows Server 2019 stemcells:

  • Log success and failure audit events of user logins and logouts for Windows VMs.

  • Log audit events related to object access on Windows VMs.

  • Log audit events related to policy changes on Windows VMs.

For more information about audit policies that apply to Windows stemcells, see Microsoft Baseline Security Standard.

Firewall Settings

Windows Server 2019 stemcells align with the firewall behavior recommended by the Microsoft Baseline Security Standard. However, they are not fully compliant with the Microsoft Baseline Security Standard.

The Windows stemcells block all inbound requests and permit all outbound requests. Specific ports are open for communication between Ops Manager components and the Windows VM.

For more information about the firewall rules for the Windows Server 2019 stemcells, contact VMware at

check-circle-line exclamation-circle-line close-line
Scroll to top icon