<Past |
Future> |
2000 (all versions) |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
2003 SP2 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
2003 R2 SP2 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
2008 SP2 |
Approved w/Constraints [5, 6] |
Divest [6, 7] |
Divest [6, 8] |
Divest [6, 8] |
Divest [6, 8] |
Divest [6, 8] |
Divest [6, 8] |
Divest [6, 9] |
Divest [6, 9] |
Divest [6, 9] |
Divest [6, 9] |
Divest [9, 10] |
2008 R2 SP1 |
Approved w/Constraints [5, 6] |
Approved w/Constraints [6, 7] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [9, 10] |
2012 |
Approved w/Constraints [5, 6] |
Approved w/Constraints [6, 7] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [9, 10] |
2012 R2 (KB2919355) |
Approved w/Constraints [5, 6] |
Approved w/Constraints [6, 7] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 8] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [6, 9] |
Approved w/Constraints [9, 10] |
2016 (v10) |
Approved w/Constraints [1, 5, 6] |
Approved w/Constraints [1, 6, 7] |
Approved w/Constraints [1, 6, 8] |
Approved w/Constraints [1, 6, 8] |
Approved w/Constraints [1, 6, 8] |
Approved w/Constraints [1, 6, 8] |
Approved w/Constraints [1, 6, 8] |
Approved w/Constraints [1, 6, 9] |
Approved w/Constraints [1, 6, 9] |
Approved w/Constraints [1, 6, 9] |
Approved w/Constraints [1, 6, 9] |
Approved w/Constraints [1, 9, 10] |
2019 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
2022 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
2025 |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
| | [1] | This Technology is currently being evaluated, reviewed, and tested in controlled environments. Use of this technology is strictly controlled and not available for use within the general population. | | [2] | Product must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines. Configuration and deployment standards for Windows server images, which are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering must be followed and adhered to unless an appropriate waiver is granted.
The use of Windows BitLocker disc encryption that is integrated into the Windows Operating System is not allowed without a waiver from the Core Systems Engineering and/or Client Services organizations within VA Enterprise Systems Engineering. | | [3] | Product must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines. Configuration and deployment standards for Windows server images which are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering must be followed and adhered to unless an appropriate waiver is granted by the AERB.
No new installs of Deprecated Versions are allowed without a waiver.
The use of Windows BitLocker disc encryption that is integrated into the Windows Operating System is not allowed without a waiver.
The Windows Defender component of the optional Desktop Experience package is not allowed to be used without a waiver. After the install of the optional Desktop Experience package, the Windows Defender Service must be disabled and deleted using the `SC Delete` command to prevent it from being enabled.
The Hyper-V Role may only be used on approved versions of Windows Server identified on the version tab of this entry, versions 2008 R2 and later, and following Hyper-V Role version and configuration standards set by ESE Core Systems Engineering Services for Hyper-V Roles. | | [4] | Product must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines. Configuration and deployment standards for Windows server images which are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering must be followed and adhered to unless an appropriate waiver is granted by the AERB.
No new installs of Deprecated Versions are allowed. Windows Server 2014 (v10) Preview is in planning and only Enterprise System Engineering (ESE) Core Engineering may use the technology at this time for planning purposes. No production deployment date for Windows 2014 (v10) has been set as of this writing.
The use of Windows BitLocker disc encryption that is integrated into the Windows Operating System is not allowed without a waiver.
The Windows Defender component of the optional Desktop Experience package is not allowed to be used without a waiver. After the install of the optional Desktop Experience package, the Windows Defender Service must be disabled and deleted using the `SC Delete` command to prevent it from being enabled.
The Hyper-V Role may only be used on approved versions of Windows Server identified on the version tab of this entry, versions 2008 R2 and later, and following Hyper-V Role version and configuration standards set by ESE Core Systems Engineering Services for Hyper-V Roles.
The Microsoft Virtual Server component which was replaced by the Hyper-V Role is prohibited from use and users must use the Hyper-V Role on approved versions of Windows Server. | | [5] | Configuration and deployment standards for Windows Server images, including standards for Hyper-V Roles, which are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering (ESE) must be followed and adhered to unless an appropriate waiver is granted. Detailed information can be found at the following location: https://vaww.sde.portal.va.gov/svcs/sma/BCM/SitePages/Home.aspx
No new installs of Deprecated Versions are allowed.
Unapproved versions or components can be used only if a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the AERB, has been granted to the project team or organization that wishes to use the technology. (ref: and FAQ`s #4 and FAQ #5 for information on Decisions and AERB Waivers.)
Due to the critical nature of JASBUG, Windows Server 2003 is TRM unapproved and should only be used when the security risks are outweighed by the benefits as reviewed and approved by the AERB waiver process.
The use of Windows BitLocker disc encryption that is integrated into the Windows Operating System is unapproved and should only be used when standard VA encryption technology cannot be used and is reviewed and approved by the AERB waiver process.
The Windows Defender component of the optional Desktop Experience package is unapproved and should only be used when standard VA security technology cannot be used and is reviewed and approved by the AERB waiver process. After the install of the optional Desktop Experience package, the Windows Defender Service must be disabled and deleted using the `SC Delete` command to prevent it from being enabled.
The Microsoft Virtual Server component which was replaced by the Hyper-V Role is prohibited from use and users must use the Hyper-V Role on approved versions of Windows Server. | | [6] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | [7] | Configuration and deployment standards for Windows Server images including standards for Active Directory and Hyper-V Roles which are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering (ESE) must be followed and adhered to unless an appropriate waiver is granted. See the reference section for more information.
No new installs of Deprecated Versions are allowed.
Unapproved versions or components can be used only if a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the AERB, has been granted to the project team or organization that wishes to use the technology. (ref: and FAQ`s #4 and FAQ #5 for information on Decisions and AERB Waivers.)
Windows Server 2008 SP2 is deprecated after 6/1/2015 and is only approved for use on servers that support SCCM 2007. Non-SCCM servers running Windows 2008 (non-R2) should migrate to Windows 2008 R2 or 2012 R2.
Due to the critical nature of JASBUG, Windows Server 2003 is TRM unapproved and should only be used when the security risks are outweighed by the benefits as reviewed and approved by the AERB waiver process. It is recommended that the AERB require all waivered instances of Windows 2003 Server to install Internet Explorer (IE) Version 8 which is the latest supported version of IE for this product.
The use of Windows BitLocker disc encryption that is integrated into the Windows Operating System is unapproved and should only be used when standard VA encryption technology cannot be used and is reviewed and approved by the AERB waiver process.
The Windows Defender component of the optional Desktop Experience package is unapproved and should only be used when standard VA security technology cannot be used and is reviewed and approved by the AERB waiver process. After the install of the optional Desktop Experience package, the Windows Defender Service must be disabled and deleted using the `SC Delete` command to prevent it from being enabled.
The Microsoft Virtual Server component which was replaced by the Hyper-V Role is prohibited from use and users must use the Hyper-V Role on approved versions of Windows Server.
| | [8] | Configuration and deployment standards for Windows Server images including standards for Active Directory and Hyper-V Roles which are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering (ESE) must be followed and adhered to unless an appropriate waiver is granted. See the reference section for more information.
No new installs of Deprecated Versions are allowed.
Unapproved versions or components can be used only if a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the AERB, has been granted to the project team or organization that wishes to use the technology. (ref: and FAQ`s #4 and FAQ #5 for information on Decisions and AERB Waivers.)
Windows Server 2008 SP2 is deprecated after 6/1/2015 and is only approved for use on servers that support SCCM 2007. Non-SCCM servers running Windows 2008 (non-R2) should migrate to Windows 2008 R2 or 2012 R2.
Due to the critical nature of JASBUG, Windows Server 2003 is TRM unapproved and should only be used when the security risks are outweighed by the benefits as reviewed and approved by the AERB waiver process. It is recommended that the AERB require all waivered instances of Windows 2003 Server to install Internet Explorer (IE) Version 8 which is the latest supported version of IE for this product.
The use of Windows BitLocker disc encryption that is integrated into the Windows Operating System is unapproved and should only be used when standard VA encryption technology cannot be used and is reviewed and approved by the AERB waiver process.
The Windows Defender component of the optional Desktop Experience package is unapproved and should only be used when standard VA security technology cannot be used and is reviewed and approved by the AERB waiver process. After the install of the optional Desktop Experience package, the Windows Defender Service must be disabled and deleted using the `SC Delete` command to prevent it from being enabled.
Windows Internal Database (WID) is authorized only for use by Windows Server and should not be used by any end-user applications. See the `Component` section of this TRM entry for more details.
The Microsoft Virtual Server component which was replaced by the Hyper-V Role is prohibited from use and users must use the Hyper-V Role on approved versions of Windows Server.
| | [9] | Configuration and deployment standards for Windows Server images, including standards for Active Directory and Hyper-V Roles which are defined and maintained by the Core Systems Engineering organization within VA Enterprise Systems Engineering (ESE), must be followed and adhered to unless an appropriate waiver is granted. See the reference section for more information.
No new installs of Deprecated Versions are allowed.
Unapproved versions or components can be used only if a waiver, signed by the Deputy CIO of ASD and based upon a recommendation from the AERB, has been granted to the project team or organization that wishes to use the technology. (ref: and FAQ`s #4 and FAQ #5 for information on Decisions and AERB Waivers.)
Windows Server 2008 SP2 is deprecated after 6/1/2015 and is only approved for use on servers that support SCCM 2007. Non-SCCM servers running Windows 2008 (non-R2) must migrate to Windows 2008 R2 or 2012 R2.
Due to the critical nature of JASBUG, Windows Server 2003 is TRM unapproved and must only be used when the security risks are outweighed by the benefits as reviewed and approved by the AERB waiver process. It is recommended that the AERB require all waivered instances of Windows 2003 Server to install Internet Explorer (IE) Version 8 which is the latest supported version of IE for this product.
The use of Windows BitLocker disc encryption that is integrated into the Windows Operating System is unapproved and must only be used when standard VA encryption technology cannot be used and is reviewed and approved by the AERB waiver process.
The Windows Defender component of the optional Desktop Experience package is unapproved and must only be used when standard VA security technology cannot be used and is reviewed and approved by the AERB waiver process. After the install of the optional Desktop Experience package, the Windows Defender Service must be disabled and deleted using the `SC Delete` command to prevent it from being enabled.
Windows Internal Database (WID) is authorized only for use by Windows Server and must not be used by any end-user applications. See the `Component` section of this TRM entry for more details.
The Microsoft Virtual Server component which was replaced by the Hyper-V Role is prohibited from use and users must use the Hyper-V Role on approved versions of Windows Server.
| | [10] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities. |
|
Note: |
At the time of writing, version 2025 is the most current version, released 10/01/2022.
A baseline configuration of this technology was developed by the BCM team. At the time of writing, the baseline version is 2022. |