Share via

IIS on Nano Server

Applies to: Windows Server 2016


On October 9, 2018, support for the Nano Server installation option ended. Starting in Windows Server, version 1709, Nano Server is available only as a container base OS image. Check out Changes to Nano Server to learn what this means.

You can install the Internet Information Services (IIS) server role on Nano Server by using the -Package parameter with Microsoft-NanoServer-IIS-Package. For information about configuring Nano Server, including installing packages, see Install Nano Server.

In this release of Nano Server, the following IIS features are available:

Feature Enabled by default
Common HTTP Features
Default document x
Directory browsing x
HTTP Errors x
Static content x
HTTP redirection
Health and Diagnostics
HTTP logging x
Custom logging
Request monitor
Static content compression x
Dynamic content compression
Request filtering x
Basic authentication
Client certificate mapping authentication
Digest authentication
IIS client certificate mapping authentication
IP and domain restrictions
URL authorization
Windows authentication
Application Development
Application initialization
ISAPI extensions
ISAPI filters
Server-side includes
WebSocket protocol
Management Tools
IISAdministration module for Windows PowerShell x

A series of articles on other configurations of IIS (such as using ASP.NET, PHP, and Java) and other related content is published at

Installing IIS on Nano Server

You can install this server role either offline (with the Nano Server off) or online (with the Nano Server running); offline installation is the recommended option.

For offline installation, add the package with the -Packages parameter of New-NanoServerImage, as in this example:

New-NanoServerImage -Edition Standard -DeploymentType Guest -MediaPath f:\ -BasePath .\Base -TargetPath .\Nano1.vhd -ComputerName Nano1 -Package Microsoft-NanoServer-IIS-Package

If you have an existing VHD file, you can install IIS offline with DISM.exe by mounting the VHD, and then using the Add-Package option. The following example steps assume that you are running from the directory specified by BasePath option, which was created after running New-NanoServerImage.

  1. mkdir mountdir
  2. .\Tools\dism.exe /Mount-Image /ImageFile:.\NanoServer.vhd /Index:1 /MountDir:.\mountdir
  3. .\Tools\dism.exe /Add-Package /PackagePath:.\packages\ /Image:.\mountdir
  4. .\Tools\dism.exe /Add-Package /PackagePath:.\packages\en-us\ /Image:.\mountdir
  5. .\Tools\dism.exe /Unmount-Image /MountDir:.\MountDir /Commit


Note that Step 4 adds the language pack--this example installs EN-US.

At this point, you can start Nano Server with IIS.

Installing IIS on Nano Server online

Though offline installation of the server role is recommended, you might need to install it online (with the Nano Server running) in container scenarios. To do this, follow these steps:

  1. Copy the Packages folder from the installation media locally to the running Nano Server (for example, to C:\packages).

  2. Create a new Unattend.xml file on another computer and then copy it to the Nano Server. You can copy and paste this XML content into the XML file you created:

    <unattend xmlns=urn:schemas-microsoft-com:unattend>
        <package action=install>
            <assemblyIdentity name=Microsoft-NanoServer-IIS-Package version=10.0.14393.0 processorArchitecture=amd64 publicKeyToken=31bf3856ad364e35 language=neutral />
            <source location=c:\packages\ />
        <package action=install>
            <assemblyIdentity name=Microsoft-NanoServer-IIS-Package version=10.0.14393.0 processorArchitecture=amd64 publicKeyToken=31bf3856ad364e35 language=en-US />
            <source location=c:\packages\en-us\ />
    <cpi:offlineImage cpi:source= xmlns:cpi=urn:schemas-microsoft-com:cpi />
  1. In the new XML file you created (or copied), edit C:\packages to the directory you copied the content of Packages to.

  2. Switch to the directory with the newly created XML file and run

    dism /online /apply-unattend:.\unattend.xml

  3. Confirm that the IIS package and its associated language pack are installed correctly by running:

    dism /online /get-packages

    You should see Package Identity : Microsoft-NanoServer-IIS-Package~31bf3856ad364e35~amd64~~10.0.14393.1000 listed twice, once for Release Type : Language Pack and once for Release Type : Feature Pack.

  4. Start the W3SVC service either with net start w3svc or by restarting the Nano Server.

Starting IIS

Once IIS is installed and running, it is ready to serve web requests. Verify that IIS is running by browsing the default IIS web page at http://<IP address of Nano Server>. On a physical computer, you can determine the IP address by using the Recovery Console. On a virtual machine, you can get the IP address by using a Windows PowerShell prompt and running:

Get-VM -name <VM name> | Select -ExpandProperty networkadapters | select IPAddresses

If you are not able to access the default IIS web page, double-check the IIS installation by looking for the c:\inetpub directory on the Nano Server.

Enabling and disabling IIS features

A number of IIS features are enabled by default when you install the IIS role (see the table in the Overview of IIS on Nano Server section of this topic). You can enable (or disable) additional features using DISM.exe

Each feature of IIS exists as a set of configuration elements. For example, the Windows authentication feature comprises these elements:

Section Configuration elements
<globalModules> <add name=WindowsAuthenticationModule image=%windir%\System32\inetsrv\authsspi.dll
<modules> <add name=WindowsAuthenticationModule lockItem=true \/>
<windowsAuthentication> <windowsAuthentication enabled=false authPersistNonNTLM\=true><providers><add value=Negotiate /><add value=NTLM /><br /></providers><br /></windowsAuthentication>

The full set of IIS sub-features is included in Appendix 1 of this topic and their corresponding configuration elements is included in Appendix 2 of this topic.

Example: installing Windows authentication

  1. Open a Windows PowerShell remote session console on the Nano Server.

  2. Use DISM.exe to install the Windows authentication module:

    dism /Enable-Feature /online /featurename:IIS-WindowsAuthentication /all

    The /all switch will install any feature that the chosen feature depends on.

Example: uninstalling Windows authentication

  1. Open a Windows PowerShell remote session console on the Nano Server.

  2. Use DISM.exe to uninstall the Windows authentication module:

    dism /Disable-Feature /online /featurename:IIS-WindowsAuthentication

Other common IIS configuration tasks

Creating websites

Use this cmdlet:

PS D:\> New-IISSite -Name TestSite -BindingInformation *:80:TestSite -PhysicalPath c:\test

You can then run Get-IISSite to verify the state of the site (returns the web site name, ID, state, physical path, and bindings).

Deleting web sites

Run Remove-IISSite -Name TestSite -Confirm:$false.

Creating virtual directories

You can create virtual directories by using the IISServerManager object returned by Get-IISServerManager, which exposes the .NET Microsoft.Web.Administration.ServerManager API. In this example, these commands access the Default Web Site element of the Sites collection and the root application element (/) of the Applications section. They then call the Add() method of the VirtualDirectories collection for that application element to create the new directory:

PS C:\> $sm = Get-IISServerManager
PS C:\> $sm.Sites["Default Web Site"].Applications[/].VirtualDirectories.Add(/DemoVirtualDir1, c:\test\virtualDirectory1)
PS C:\> $sm.Sites["Default Web Site"].Applications[/].VirtualDirectories.Add(/DemoVirtualDir2, c:\test\virtualDirectory2)
PS C:\> $sm.CommitChanges()

Creating application pools

Similarly you can use Get-IISServerManager to create application pools:

PS C:\> $sm = Get-IISServerManager
PS C:\> $sm.ApplicationPools.Add(DemoAppPool)

Configuring HTTPS and certificates

Use the Certoc.exe utility to import certificates, as in this example, which shows configuring HTTPS for a website on a Nano Server:

  1. On another computer that is not running Nano Server, create a certificate (using your own certificate name and password), and then export it to c:\temp\test.pfx.

    $newCert = New-SelfSignedCertificate -DnsName -CertStoreLocation cert:\LocalMachine\my

    $mypwd = ConvertTo-SecureString -String YOUR_PFX_PASSWD -Force -AsPlainText

    Export-PfxCertificate -FilePath c:\temp\test.pfx -Cert $newCert -Password $mypwd

  2. Copy the test.pfx file to the Nano Server computer.

  3. On the Nano Server, import the certificate to the My store with this command:

    certoc.exe -ImportPFX -p YOUR_PFX_PASSWD My c:\temp\test.pfx

  4. Retrieve the thumbprint of this new certificate (in this example, 61E71251294B2A7BB8259C2AC5CF7BA622777E73) with Get-ChildItem Cert:\LocalMachine\my.

  5. Add the HTTPS binding to the Default Web Site (or whatever website you want to add the binding to) by using these Windows PowerShell commands:

    $certificate = get-item Cert:\LocalMachine\my\61E71251294B2A7BB8259C2AC5CF7BA622777E73
    # Use your actual thumbprint instead of this example
    $hash = $certificate.GetCertHash()
    Import-Module IISAdministration
    $sm = Get-IISServerManager
    $sm.Sites["Default Web Site"].Bindings.Add("*:443:", $hash, "My", "0")    # My is the certificate store name

    You could also use Server Name Indication (SNI) with a specific host name with this syntax: $sm.Sites["Default Web Site"].Bindings.Add("*", $hash, "My", "SNI")

Appendix 1: List of IIS sub-features

  • IIS-WebServer
  • IIS-CommonHttpFeatures
  • IIS-StaticContent
  • IIS-DefaultDocument
  • IIS-DirectoryBrowsing
  • IIS-HttpErrors
  • IIS-HttpRedirect
  • IIS-ApplicationDevelopment
  • IIS-ISAPIExtensions
  • IIS-ISAPIFilter
  • IIS-ServerSideIncludes
  • IIS-WebSockets
  • IIS-ApplicationInit
  • IIS-Security
  • IIS-BasicAuthentication
  • IIS-WindowsAuthentication
  • IIS-DigestAuthentication
  • IIS-ClientCertificateMappingAuthentication
  • IIS-IISCertificateMappingAuthentication
  • IIS-URLAuthorization
  • IIS-RequestFiltering
  • IIS-IPSecurity
  • IIS-CertProvider
  • IIS-Performance
  • IIS-HttpCompressionStatic
  • IIS-HttpCompressionDynamic
  • IIS-HealthAndDiagnostics
  • IIS-HttpLogging
  • IIS-LoggingLibraries
  • IIS-RequestMonitor
  • IIS-HttpTracing
  • IIS-CustomLogging

Appendix 2: Elements of HTTP features

Each feature of IIS exists as a set of configuration elements. This appendix lists the configuration elements for all of the features in this release of Nano Server

Common HTTP features

Default document

Section Configuration elements
<globalModules> <add name=DefaultDocumentModule image=%windir%\System32\inetsrv\defdoc.dll />
<modules> <add name=DefaultDocumentModule lockItem=true />
<handlers> <add name=StaticFile path=* verb=* modules=DefaultDocumentModule resourceType=EiSecther requireAccess=Read />
<defaultDocument> <defaultDocument enabled=true><br /><files><br /> <add value=Default.htm /><br /> <add value=Default.asp /><br /> <add value=index.htm /><br /> <add value=index.html /><br /> <add value=iisstart.htm /><br /> </files><br /></defaultDocument>

The StaticFile <handlers> entry might already be present; if so, just add DefaultDocumentModule to the <modules> attribute, separated by a comma.

Directory browsing

Section Configuration elements
<globalModules> <add name=DirectoryListingModule image=%windir%\System32\inetsrv\dirlist.dll />
<modules> <add name=DirectoryListingModule lockItem=true />
<handlers> <add name=StaticFile path=* verb=* modules=DirectoryListingModule resourceType=Either requireAccess=Read />

The StaticFile <handlers> entry might already be present; if so, just add DirectoryListingModule to the <modules> attribute, separated by a comma.

HTTP errors

Section Configuration elements
<globalModules> <add name=CustomErrorModule image=%windir%\System32\inetsrv\custerr.dll />
<modules> <add name=CustomErrorModule lockItem=true />
<httpErrors> <httpErrors lockAttributes=allowAbsolutePathsWhenDelegated,defaultPath><br /> <error statusCode=401 prefixLanguageFilePath=%SystemDrive%\inetpub\custerr path=401.htm ><br /> <error statusCode=403 prefixLanguageFilePath=%SystemDrive%\inetpub\custerr path=403.htm /><br /> <error statusCode=404 prefixLanguageFilePath=%SystemDrive%\inetpub\custerr path=404.htm /><br /> <error statusCode=405 prefixLanguageFilePath=%SystemDrive%\inetpub\custerr path=405.htm /><br /> <error statusCode=406 prefixLanguageFilePath=%SystemDrive%\inetpub\custerr path=406.htm /><br /> <error statusCode=412 prefixLanguageFilePath=%SystemDrive%\inetpub\custerr path=412.htm /><br /> <error statusCode=500 prefixLanguageFilePath=%SystemDrive%\inetpub\custerr path=500.htm /><br /> <error statusCode=501 prefixLanguageFilePath=%SystemDrive%\inetpub\custerr path=501.htm /><br /> <error statusCode=502 prefixLanguageFilePath=%SystemDrive%\inetpub\custerr path=502.htm /><br /></httpErrors>

Static content

Section Configuration elements
<globalModules> <add name=StaticFileModule image=%windir%\System32\inetsrv\static.dll />
<modules> <add name=StaticFileModule lockItem=true />
<handlers> <add name=StaticFile path=* verb=* modules=StaticFileModule resourceType=Either requireAccess=Read />

The StaticFile \<handlers> entry might already be present; if so, just add StaticFileModule to the <modules> attribute, separated by a comma.

HTTP redirection

Section Configuration elements
<globalModules> <add name=HttpRedirectionModule image=%windir%\System32\inetsrv\redirect.dll />
<modules> <add name=HttpRedirectionModule lockItem=true />
<httpRedirect> <httpRedirect enabled=false />

Health and diagnostics

HTTP logging

Section Configuration elements
<globalModules> <add name=HttpLoggingModule image=%windir%\System32\inetsrv\loghttp.dll />
<modules> <add name=HttpLoggingModule lockItem=true />
<httpLogging> <httpLogging dontLog=false />

Custom logging

Section Configuration elements
<globalModules> <add name=CustomLoggingModule image=%windir%\System32\inetsrv\logcust.dll />
<modules> <add name=CustomLoggingModule lockItem=true />

Request monitor

Section Configuration elements
<globalModules> <add name=RequestMonitorModule image=%windir%\System32\inetsrv\iisreqs.dll />


Section Configuration elements
<globalModules> <add name=TracingModule image=%windir%\System32\inetsrv\iisetw.dll \/><br /><add name=FailedRequestsTracingModule image=%windir%\System32\inetsrv\iisfreb.dll />
<modules> <add name=FailedRequestsTracingModule lockItem=true />
<traceProviderDefinitions> <traceProviderDefinitions><br /> <add name=WWW Server guid\={3a2a4e84-4c21-4981-ae10-3fda0d9b0f83}><br /> <areas><br /> <clear /><br /> <add name=Authentication value=2 /><br /> <add name=Security value=4 /><br /> <add name=Filter value=8 /><br /> <add name=StaticFile value=16 /><br /> <add name=CGI value=32 /><br /> <add name=Compression value=64 /><br /> <add name=Cache value=128 /><br /> <add name=RequestNotifications value=256 /><br /> <add name=Module value=512 /><br /> <add name=FastCGI value=4096 /><br /> <add name=WebSocket value=16384 /><br /> </areas><br /> </add><br /> <add name=ISAPI Extension guid={a1c2040e-8840-4c31-ba11-9871031a19ea}><br /> <areas><br /> <clear /><br /> </areas><br /> </add><br /></traceProviderDefinitions>


Static content compression

Section Configuration elements
<globalModules> <add name=StaticCompressionModule image=%windir%\System32\inetsrv\compstat.dll />
<modules> <add name=StaticCompressionModule lockItem=true />
<httpCompression> <httpCompression directory=%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files><br /> <scheme name=gzip dll=%Windir%\system32\inetsrv\gzip.dll /><br /> <staticTypes><br /> <add mimeType=text/* enabled=true /><br /> <add mimeType=message/* enabled=true /><br /> <add mimeType=application/javascript enabled=true \/><br /> <add mimeType=application/atom+xml enabled=true /><br /> <add mimeType=application/xaml+xml enabled=true /><br /> <add mimeType=\*\* enabled=false /><br /> </staticTypes><br /></httpCompression>

Dynamic content compression

Section Configuration elements
<globalModules> <add name=DynamicCompressionModule image=%windir%\System32\inetsrv\compdyn.dll />
<modules> <add name=DynamicCompressionModule lockItem=true />
<httpCompression> <httpCompression directory\=%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files><br /> <scheme name=gzip dll=%Windir%\system32\inetsrv\gzip.dll \/><br /> \<dynamicTypes><br /> <add mimeType=text/* enabled=true \/><br /> <add mimeType=message/* enabled=true /><br /> <add mimeType=application/x-javascript enabled=true /><br /> <add mimeType=application/javascript enabled=true /><br /> <add mimeType=*/* enabled=false /><br /> <\/dynamicTypes><br /></httpCompression>


Request filtering

Section Configuration elements
<globalModules> <add name=RequestFilteringModule image=%windir%\System32\inetsrv\modrqflt.dll />
<modules> <add name=RequestFilteringModule lockItem=true />
<requestFiltering> <requestFiltering><br /> <fileExtensions allowUnlisted=true applyToWebDAV=true /><br /> <verbs allowUnlisted=true applyToWebDAV=true /><br /> <hiddenSegments applyToWebDAV=true><br /> <add segment=web.config /><br /> </hiddenSegments><br /></requestFiltering>

Basic authentication

Section Configuration elements
<globalModules> <add name=BasicAuthenticationModule image=%windir%\System32\inetsrv\authbas.dll />
<modules> <add name=WindowsAuthenticationModule lockItem=true />
<basicAuthentication> <basicAuthentication enabled=false />

Client certificate mapping authentication

Section Configuration elements
<globalModules> <add name=CertificateMappingAuthentication image=%windir%\System32\inetsrv\authcert.dll />
<modules> <add name=CertificateMappingAuthenticationModule lockItem=true />
<clientCertificateMappingAuthentication> <clientCertificateMappingAuthentication enabled=false />

Digest authentication

Section Configuration elements
<globalModules> <add name=DigestAuthenticationModule image=%windir%\System32\inetsrv\authmd5.dll />
<modules> <add name=DigestAuthenticationModule lockItem=true />
<other> <digestAuthentication enabled=false />

IIS client certificate mapping authentication

Section Configuration elements
<globalModules> <add name=CertificateMappingAuthenticationModule image=%windir%\System32\inetsrv\authcert.dll />
<modules> <add name=CertificateMappingAuthenticationModule lockItem=true />`
<clientCertificateMappingAuthentication> <clientCertificateMappingAuthentication enabled=false />

IP and domain restrictions

Section Configuration elements
<globalModules> <add name=IpRestrictionModule image=%windir%\System32\inetsrv\iprestr.dll /><br /><add name=DynamicIpRestrictionModule image=%windir%\System32\inetsrv\diprestr.dll />
<modules> <add name=IpRestrictionModule lockItem=true \/><br /><add name=DynamicIpRestrictionModule lockItem=true \/>
<ipSecurity> <ipSecurity allowUnlisted=true />

URL authorization

Section Configuration elements
<globalModules> <add name=UrlAuthorizationModule image=%windir%\System32\inetsrv\urlauthz.dll />
<modules> <add name=UrlAuthorizationModule lockItem=true />
<authorization> <authorization><br /> <add accessType=Allow users=* /><br /></authorization>

Windows authentication

Section Configuration elements
<globalModules> <add name=WindowsAuthenticationModule image=%windir%\System32\inetsrv\authsspi.dll />
<modules> <add name=WindowsAuthenticationModule lockItem=true />
<windowsAuthentication> <windowsAuthentication enabled=false authPersistNonNTLM\=true><br /> <providers><br /> <add value=Negotiate /><br /> <add value=NTLM /><br /> <\providers><br /><\windowsAuthentication><windowsAuthentication enabled=false authPersistNonNTLM\=true><br /> <providers><br /> <add value=Negotiate /><br /> <add value=NTLM /><br /> <\/providers><br /><\/windowsAuthentication>

Application development

Application initialization

Section Configuration elements
<globalModules> <add name=ApplicationInitializationModule image=%windir%\System32\inetsrv\warmup.dll />
<modules> <add name=ApplicationInitializationModule lockItem=true />


Section Configuration elements
<globalModules> <add name=CgiModule image=%windir%\System32\inetsrv\cgi.dll /><br /><add name=FastCgiModule image=%windir%\System32\inetsrv\iisfcgi.dll />
<modules> <add name=CgiModule lockItem=true /><br /><add name=FastCgiModule lockItem=true />
<handlers> <add name=CGI-exe path=*.exe verb=\* modules=CgiModule resourceType=File requireAccess=Execute allowPathInfo=true />

ISAPI extensions

Section Configuration elements
<globalModules> <add name=IsapiModule image=%windir%\System32\inetsrv\isapi.dll />
<modules> <add name=IsapiModule lockItem=true />
<handlers> <add name=ISAPI-dll path=*.dll verb=* modules=IsapiModule resourceType=File requireAccess=Execute allowPathInfo=true />

ISAPI filters

Section Configuration elements
<globalModules> <add name=IsapiFilterModule image=%windir%\System32\inetsrv\filter.dll />
<modules> <add name=IsapiFilterModule lockItem=true />

Server-side includes

Section Configuration elements
<globalModules> <add name=ServerSideIncludeModule image=%windir%\System32\inetsrv\iis_ssi.dll />
<modules> <add name=ServerSideIncludeModule lockItem=true />
<handlers> <add name=SSINC-stm path=*.stm verb=GET,HEAD,POST modules=ServerSideIncludeModule resourceType=File \/><br /><add name=SSINC-shtm path=*.shtm verb=GET,HEAD,POST modules=ServerSideIncludeModule resourceType=File /><br /><add name=SSINC-shtml path=*.shtml verb=GET,HEAD,POST modules=ServerSideIncludeModule resourceType=File />
<serverSideInclude> <serverSideInclude ssiExecDisable=false />

WebSocket protocol

Section Configuration elements
<globalModules> <add name=WebSocketModule image=%windir%\System32\inetsrv\iiswsock.dll />
<modules> <add name=WebSocketModule lockItem=true />