Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.

VA Technical Reference Model v 18.12

Windows Server
Windows Server Technology

General InformationGeneral Information help

Technologies must be operated and maintained in accordance with Federal and Department security and privacy policies and guidelines. More information on the proper use of the TRM can be found on the TRM Proper Use Tab/Section.

Website: Go to site
Description: Windows Server is a proprietary operating system developed by Microsoft for use on server computer systems.

The TRM decisions in this entry only apply to technologies and versions owned, operated, managed, patched, and version-controlled by VA. This includes technologies deployed as software on VMs within VA-controlled cloud environments (e.g. VA Enterprise Cloud (VAEC)). Cloud services provided by the VAEC and those controlled and managed by an external Cloud Service Provider (i.e. SaaS) are not in the purview of the TRM. For more information on the use of cloud services and cloud-based products within VA, including VA private clouds, please see the Enterprise Cloud Solutions Office (ECSO) Portal at:
Technology/Standard Usage Requirements: Users must ensure their use of this technology/standard is consistent with VA policies and standards, including, but not limited to, VA Handbooks 6102 and 6500; VA Directives 6004, 6513, and 6517; and National Institute of Standards and Technology (NIST) standards, including Federal Information Processing Standards (FIPS). Users must ensure sensitive data is properly protected in compliance with all VA regulations. Prior to use of this technology, users should check with their supervisor, Information Security Officer (ISO), Facility Chief Information Officer (CIO), or local Office of Information and Technology (OI&T) representative to ensure that all actions are consistent with current VA policies and procedures prior to implementation.
Section 508 Information: This technology has not been assessed by the Section 508 Office. The Implementer of this technology has the responsibility to ensure the version deployed is 508-compliant. Section 508 compliance may be reviewed by the Section 508 Office and appropriate remedial action required if necessary. For additional information or assistance regarding Section 508, please contact the Section 508 Office at
Decision: View Decisions
Decision Constraints: Due to potential information security risks, cloud based technologies may not be used without the approval of the VA Enterprise Cloud Services (ECS) Group. This body is in part responsible for ensuring organizational information, Personally Identifiable Information (PII), Protected Health Information (PHI), and VA sensitive data are not compromised. (Ref: VA Directive 6004, VA Directive 6517, VA Directive 6513 and VA Directive 6102).

Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities.

Configuration and deployment standards for Windows Server images, including standards for Active Directory and Hyper-V Roles which are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering (ESE), must be followed and adhered to unless an appropriate waiver is granted. See the reference section for more information.

No new installs of Deprecated Versions are allowed.

Unapproved versions or components can be used only if a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the AERB, has been granted to the project team or organization that wishes to use the technology. (ref: and FAQ`s #4 and FAQ #5 for information on Decisions and AERB Waivers.)

Windows Server 2008 SP2 is deprecated after 6/1/2015 and is only approved for use on servers that support SCCM 2007. Non-SCCM servers running Windows 2008 (non-R2) must migrate to Windows 2008 R2 or 2012 R2.

Due to the critical nature of JASBUG, Windows Server 2003 is TRM unapproved and must only be used when the security risks are outweighed by the benefits as reviewed and approved by the AERB waiver process. It is recommended that the AERB require all waivered instances of Windows 2003 Server to install Internet Explorer (IE) Version 8 which is the latest supported version of IE for this product.

The use of Windows BitLocker disc encryption that is integrated into the Windows Operating System is unapproved and must only be used when standard VA encryption technology cannot be used and is reviewed and approved by the AERB waiver process.

The Windows Defender component of the optional Desktop Experience package is unapproved and must only be used when standard VA security technology cannot be used and is reviewed and approved by the AERB waiver process. After the install of the optional Desktop Experience package, the Windows Defender Service must be disabled and deleted using the `SC Delete` command to prevent it from being enabled.

Windows Internal Database (WID) is authorized only for use by Windows Server and must not be used by any end-user applications. See the `Component` section of this TRM entry for more details.

The Microsoft Virtual Server component which was replaced by the Hyper-V Role is prohibited from use and users must use the Hyper-V Role on approved versions of Windows Server.

Decision Source: TRM Mgmt Group
Decision Process: One-VA TRM v18.10
Decision Date: 10/11/2018
Aliases: Windows Server 2012; Windows Server 2008; Windows Server 2003; MS Windows Server; Microsoft Edge
Introduced By: Enterprise Program Management Office (EPMO) TRM Team
Vendor Name: Microsoft
- The information contained on this page is accurate as of the Decision Date (10/11/2018).