How to Add and Remove Windows Server Roles and Features with PowerShell
Windows Server 2025 ships as a minimal platform and relies on you to install only the roles and features your workload requires. This principle of minimal footprint reduces the attack surface, lowers memory consumption, and keeps the server easier to maintain. While Server Manager provides a graphical wizard for role and feature installation, PowerShell is the preferred method in production environments because it is faster, fully scriptable, and produces output you can log and audit. This guide covers everything you need to know about querying available features, installing roles with their management tools and sub-features, verifying the results, handling restarts, and cleanly removing features when they are no longer needed — all using the ServerManager module that ships with Windows Server 2025.
Prerequisites
- Windows Server 2025 (Standard or Datacenter edition) with Desktop Experience or Server Core
- An elevated Windows PowerShell 5.1 session (the
ServerManagermodule is not available in PowerShell 7 by default) - Local administrator or domain administrator privileges
- Internet connectivity or a local installation source (WIM file) if installing roles that require additional binaries
Step 1 — Import the ServerManager Module
The ServerManager module provides the core cmdlets for role management. It is auto-loaded in Windows PowerShell 5.1 on Server 2025, but explicitly importing it is good practice in scripts.
# Import the module explicitly
Import-Module ServerManager
# Verify the module is loaded and check available cmdlets
Get-Command -Module ServerManager
# Key cmdlets you will use:
# Get-WindowsFeature — query available and installed features
# Install-WindowsFeature — install roles and features
# Uninstall-WindowsFeature — remove roles and features
Step 2 — Query Available Roles and Features
Before installing anything, understand what is available and what is already installed. Get-WindowsFeature returns a hierarchical tree of all server roles, role services, and features.
# List ALL available features (roles, role services, and features)
Get-WindowsFeature | Format-Table -AutoSize
# Show only features that are already installed
Get-WindowsFeature | Where-Object { $_.Installed -eq $true } |
Select-Object Name, DisplayName, InstallState
# Show only features that are NOT installed
Get-WindowsFeature | Where-Object { $_.InstallState -eq 'Available' } |
Select-Object Name, DisplayName | Sort-Object Name
# Search for a specific feature by name or display name
Get-WindowsFeature -Name "*Web*"
Get-WindowsFeature -Name "*DNS*"
Get-WindowsFeature -Name "*Hyper-V*"
# Get detailed information about a specific feature
Get-WindowsFeature -Name Web-Server | Select-Object *
# Query features on a remote server
Get-WindowsFeature -ComputerName "SRVWEB02"
Step 3 — Install IIS (Web Server Role)
IIS is one of the most commonly installed roles. The example below installs the Web-Server role with all sub-features and the graphical management tools, making it fully functional immediately after installation.
# Install IIS with all sub-features and management tools
Install-WindowsFeature `
-Name Web-Server `
-IncludeManagementTools `
-IncludeAllSubFeature `
-Verbose
# For a minimal IIS installation (static content only, no management tools)
Install-WindowsFeature `
-Name Web-Server, Web-Common-Http, Web-Static-Content, Web-Default-Doc `
-Verbose
# Verify the installation
Get-WindowsFeature -Name Web-* | Where-Object { $_.Installed }
# Check the IIS version installed
(Get-ItemProperty "HKLM:SOFTWAREMicrosoftInetStp").VersionString
# Start and verify the W3SVC service
Start-Service W3SVC
Get-Service W3SVC
Step 4 — Install Active Directory Domain Services
Active Directory Domain Services (AD DS) is installed as a Windows feature, but promoting the server to a domain controller is a separate step that uses the ADDSDeployment module.
# Step A: Install the AD DS role and management tools
Install-WindowsFeature `
-Name AD-Domain-Services `
-IncludeManagementTools `
-Verbose
# Verify
Get-WindowsFeature -Name AD-Domain-Services
# Step B: Import the deployment module
Import-Module ADDSDeployment
# Step C: Promote to a new domain controller in an existing domain
# (Remove -WhatIf to actually run the promotion)
Install-ADDSDomainController `
-DomainName "corp.example.com" `
-InstallDns:$true `
-Credential (Get-Credential) `
-SafeModeAdministratorPassword (Read-Host -AsSecureString "DSRM Password") `
-Force:$true `
-WhatIf
# Step C (alternative): Create a new forest for the first domain controller
Install-ADDSForest `
-DomainName "corp.example.com" `
-DomainNetbiosName "CORP" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns:$true `
-SafeModeAdministratorPassword (Read-Host -AsSecureString "DSRM Password") `
-Force:$true `
-WhatIf
Step 5 — Install DNS Server Role
# Install the DNS Server role with management tools
Install-WindowsFeature -Name DNS -IncludeManagementTools -Verbose
# Verify installation
Get-WindowsFeature -Name DNS
# Start the DNS Server service
Start-Service DNS
Set-Service DNS -StartupType Automatic
# Create a primary forward lookup zone
Add-DnsServerPrimaryZone `
-Name "example.com" `
-ZoneFile "example.com.dns" `
-DynamicUpdate None
# Add an A record
Add-DnsServerResourceRecordA `
-ZoneName "example.com" `
-Name "www" `
-IPv4Address "192.168.1.50"
# List all zones
Get-DnsServerZone
Step 6 — Install DHCP Server Role
# Install DHCP Server with management tools
Install-WindowsFeature -Name DHCP -IncludeManagementTools -Verbose
# Authorize the DHCP server in Active Directory (required for domain environments)
Add-DhcpServerInDC -DnsName "SRVDHCP01.corp.example.com" -IPAddress "192.168.1.20"
# Create a DHCP scope
Add-DhcpServerv4Scope `
-Name "LAN Scope" `
-StartRange "192.168.1.100" `
-EndRange "192.168.1.200" `
-SubnetMask "255.255.255.0" `
-State Active
# Set scope options (router, DNS server, domain name)
Set-DhcpServerv4OptionValue `
-ScopeId "192.168.1.0" `
-Router "192.168.1.1" `
-DnsServer "192.168.1.10" `
-DnsDomain "corp.example.com"
# Verify DHCP scope
Get-DhcpServerv4Scope
Step 7 — Install File Server Role
# Install the File Server role and related services
Install-WindowsFeature `
-Name FS-FileServer, FS-DFS-Namespace, FS-DFS-Replication `
-IncludeManagementTools `
-Verbose
# Create a new SMB share
New-SmbShare `
-Name "SharedData" `
-Path "D:SharesSharedData" `
-FullAccess "Domain Admins" `
-ChangeAccess "Domain Users" `
-ReadAccess "Everyone" `
-Description "Shared data folder"
# List current shares
Get-SmbShare | Select-Object Name, Path, Description
# Set NTFS permissions on the folder
$acl = Get-Acl "D:SharesSharedData"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"Domain Users", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($accessRule)
Set-Acl -Path "D:SharesSharedData" -AclObject $acl
Step 8 — Install Hyper-V Role
# Install Hyper-V with management tools
# Note: Requires a restart — plan accordingly
$result = Install-WindowsFeature `
-Name Hyper-V `
-IncludeManagementTools `
-Verbose
# Check if a restart is required
$result.RestartNeeded
# If restart is required, schedule it
if ($result.RestartNeeded -eq 'Yes') {
Write-Host "Restart required. The server will restart in 30 seconds." -ForegroundColor Yellow
Restart-Computer -Force -Delay 30
}
# After restart — verify Hyper-V
Get-WindowsFeature -Name Hyper-V
Get-VMHost
Step 9 — Install Multiple Roles in a Single Command
You can install several roles simultaneously by passing an array of feature names. This is more efficient than multiple separate commands and produces a single consolidated log entry.
# Install multiple roles and features in one command
$featuresToInstall = @(
"Web-Server",
"Web-Common-Http",
"Web-Asp-Net45",
"Web-ISAPI-Ext",
"Web-ISAPI-Filter",
"DNS",
"FS-FileServer",
"RSAT-AD-Tools",
"RSAT-DNS-Server"
)
$result = Install-WindowsFeature `
-Name $featuresToInstall `
-IncludeManagementTools `
-Verbose
# Summarise the result
$result | Select-Object FeatureResult, RestartNeeded, ExitCode
# Log the result to a file for auditing
$result | Export-Csv -Path "C:LogsFeatureInstall_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv" -NoTypeInformation
Step 10 — Handle Required Restarts
Some roles require a restart before they become operational. Always capture the return value of Install-WindowsFeature and check RestartNeeded before proceeding with further configuration.
# Always capture the result
$installResult = Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
# Evaluate restart requirement
switch ($installResult.RestartNeeded) {
'Yes' { Write-Warning "Restart required before the role is operational." }
'No' { Write-Host "No restart needed — role is active immediately." -ForegroundColor Green }
'Maybe' { Write-Warning "Restart may be required. Verify after testing." }
}
# Conditional restart in an automation script
if ($installResult.RestartNeeded -eq 'Yes') {
Restart-Computer -Force
}
Step 11 — Uninstall Roles and Features
Removing roles you no longer need reduces the attack surface and frees system resources. Uninstall-WindowsFeature mirrors the syntax of Install-WindowsFeature.
# Remove a single feature
Uninstall-WindowsFeature -Name Web-Server -IncludeManagementTools -Verbose
# Remove multiple features
$featuresToRemove = @("DNS", "DHCP")
Uninstall-WindowsFeature -Name $featuresToRemove -Verbose
# Remove a role and delete its payload from the WinSxS store (saves disk space)
# WARNING: binaries must be reinstalled from media if you need the role again
Uninstall-WindowsFeature -Name Web-Server -Remove -Verbose
# Check the result
Get-WindowsFeature -Name Web-Server
Conclusion
Managing Windows Server 2025 roles and features through PowerShell gives you complete, repeatable control over what your server does and does not run. The Get-WindowsFeature, Install-WindowsFeature, and Uninstall-WindowsFeature cmdlets cover every scenario from querying the available feature catalog through to multi-role deployments and clean removals. By capturing and evaluating the RestartNeeded return value and logging results to CSV, you ensure that role installations are auditable and that restarts are planned rather than accidental. The same script can be run against remote servers using the -ComputerName parameter, making it straightforward to enforce a consistent role configuration across every server in your fleet.
