How to Create Custom RMM Remediation Scripts to Correct DNS, Patching, and BitLocker Issues Automatically

DNS failures, failed Windows patches, and BitLocker misconfigurations can weaken an environment’s security posture. Automating the resolution of these issues using scripts improves mean-time-to-repair (MTTR), reducing the frequency of support tickets and downtime duration. This guide outlines remediation scripts administrators can deploy through a remote management and monitoring (RMM) software to resolve issues.

Remediation scripts to fix DNS, patching, and BitLocker issues

Using an RMM platform to deploy scripts minimizes manual, repetitive fixes, allowing administrators to centrally manage endpoints automatically. This helps them provide faster service delivery and instant issue remediation while keeping endpoints compliant.

📌 Prerequisites:

• Access to an RMM platform.
• PowerShell 5.1 or later on target endpoints.
• Access to an admin account.
• Installed BitLocker and Windows Update features.
• Group Policy access for centralized deployment.

📌 Recommended deployment strategies:

💡 Note: The scripts in this guide work for RMM platforms that offer remote PowerShell and batch script deployment. For simplicity, we’ll use NinjeOne RMM as a deployment tool for our remediation scripts.

⚠️ Important: Do the following steps for methods 1-6 before proceeding:

NinjaOne’s RMM platform supports JavaScript, PowerShell, Batch, ShellScript, and VBS Script languages. Here’s how you can upload custom scripts inside NinjaOne’s script library:

1. Open NinjaOne RMM, then go to:

Administration > Library > Automation.

2. Inside Automation, press Add and select New Script.
3. Complete the necessary fields and parameters for your custom script.
4. Enter the provided scripts in this guide to save them as an automation script.
   • Ensure that the selected language matches the script’s language.
5. Once saved, you can use NinjaOne’s built-in tools to select the target devices for automation by selecting the checkbox beside them.

Method 1: Using PowerShell scripts to auto-remediate DNS issues

📌 Use Cases: Leverage PowerShell scripts to flush the DNS, replacing records of domain names and IP addresses with new ones. Administrators can also use PowerShell to restart the DNS client service to re-establish a connection with DNS servers.

⚠️ Important: DNS restarts only apply temporarily on a domain-joined environment with DNS configurations via GPO. (See ⚠️ Things to look out for.)

Remediation script to flush the DNS cache:

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses ("8.8.8.8","8.8.4.4")
Clear-DnsClientCache

💡 Note: Not all devices use “Ethernet” as their default network adapter name, which can cause errors when deployed in bulk. You can use wildcard matching for script deployments on target devices with varying network adapter names.

Get-NetAdapter | Where-Object { $_.Status -eq "Up" } | ForEach-Object {
Set-DnsClientServerAddress -InterfaceAlias $_.Name -ServerAddresses ("8.8.8.8", "8.8.4.4")
}
Clear-DnsClientCache

PowerShell script to restart the DNS client service:

Administrators can reset the DNS Client inside Services.msc, clearing the in-memory DNS cache while resetting the DNS resolver.

Restart-Service -Name dnscache

Script to log resolution test results

The following script tests if the DNS resolution is working, logging errors inside the Windows Event Log if it fails.

$test = Test-Connection google.com -Count 2 -Quiet
if (-not $test) {
Write-EventLog -LogName Application -Source "DNSFix" -EventID 3001 -EntryType Warning -Message "DNS resolution failed after fix."
}

💡 Tip: Administrators can schedule these scripts inside RMM platforms for regular DNS maintenance. If your RMM offers real-time alerts, you can automatically trigger these DNS remediation scripts based on alerts and logs.

Method 2: Leverage batch commands for DNS correction via CMD

📌 Use Case: Use the following batch script to flush the DNS cache, restart the client, set a server, and test the remediation in one go.

Basic DNS issue remediation using a batch script:

@echo off
ipconfig /flushdns
net stop dnscache
net start dnscache
netsh interface ip set dns "Ethernet" static 8.8.8.8
if not exist C:\Logs mkdir C:\Logs
echo [%DATE% %TIME%] DNS test >> C:\Logs\dns_fix_result.txt
nslookup google.com >> C:\Logs\dns_fix_result.txt

⚠️ Important: A hardcoded name like “Ethernet” can cause script failure if no matching adapter exists, as netsh requires exact names. (See ⚠️ Things to look out for.)

Method 3: PowerShell scripts to resolve patching failures

📌 Use Cases: Leverage the PowerShell scripts to force missed updates, reset update components, and log update results for error diagnosis.

Force recheck and install missing updates:

This script first installs and imports the required PSWindowsUpdate module to provide better update management control for administrators. Afterwards, this scans and installs any pending updates, ensuring the target machines are up-to-date.

Install-Module PSWindowsUpdate -Force -AllowClobber
Import-Module PSWindowsUpdate
Get-WindowsUpdate -AcceptAll -Install -AutoReboot

PowerShell script to reset Windows Update components:

The following script stops the Windows Update Service (wuauserv). The script then deletes the SoftwareDistribution folder containing cached updates and temporary files, which can potentially cause corruption or stuck updates. Use this script to resolve update failures after a corrupted download or to remediate stuck or slow update scans.

Stop-Service wuauserv
Remove-Item -Path "C:\Windows\SoftwareDistribution" -Recurse -Force
Start-Service wuauserv

Generating a log update summary using scripts:

Use the script below to collect diagnostic data post-update and to help centralize logging for easier error monitoring.

Get-WindowsUpdateLog -LogPath "C:\Logs\WindowsUpdateSummary.txt"

⚠️ Important: Ensure that C:\Logs exists before designating it as a log path. (See ⚠️ Things to look out for.)

Method 4: Run batch commands on CMD for update troubleshooting

📌 Use Case: The CMD can deploy batch commands that reset update components and trigger a scan.

Basic update fix batch script:

The following batch command allows for a quick reset of update components and scanning for pending or missed updates. However, unlike method 3, the CMD cannot automatically install updates, requiring manual installation via Windows Update.

@echo off
net stop wuauserv
rd /s /q C:\Windows\SoftwareDistribution
net start wuauserv
wuauclt /detectnow

💡 Tip: Set a policy condition in your RMM to trigger this script when the Last Installed Update exceeds a set number of days. This allows your managed endpoints to automatically scan for updates regularly and consistently.

Method 5: BitLocker recovery through PowerShell remediation scripts

Having BitLocker disabled on endpoints makes a device non-compliant and its data vulnerable to threats. That said, ensuring BitLocker protection is consistently enabled on all managed endpoints increases an organization’s security posture.

📌 Use Cases: Administrators can utilize scripts on their RMM to verify BitLocker status, backup recovery keys, check encryption status, and log it.

📌 Prerequisite: Devices with Trusted Platform Module (TPM)

Scripts to check and enable BitLocker if it’s missing:

This PowerShell script allows administrators to retrieve the BitLocker volume object from a specific drive, for example, it’s C:. Additionally, the script automatically enables BitLocker if it’s off without requiring end-user interaction.

$bitlocker = Get-BitLockerVolume -MountPoint "C:"
if ($bitlocker.ProtectionStatus -eq "Off") {
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
}

💡 NOTE: -TpmProtector requires an available and ready TPM on the target device. Applying this to non-TPM devices will cause an error.

Export backup recovery key to the domain controller or locally:

The script below searches for the Recovery Password protector on a specified BitLocker volume. Afterward, the script backs up the recovery key to the domain controller or default storage. This ensures that BitLocker recovery is possible in case of a TPM reset or OS corruption.

Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (
$bitlocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
).KeyProtectorId

Check and log BitLocker encryption status:

Administrators can use the script below to create a simple log record as local proof of a device’s encryption status.

$bitlocker | Select-Object MountPoint, VolumeType, ProtectionStatus, EncryptionPercentage | Out-File "C:\Logs\bitlocker_status.txt"

💡 Tip: Administrators can assign this script to automatically run on schedule or when BitLocker protection status is detected as Off.

Method 6: Registry method for DNS, patch, or BitLocker-related policies

The Registry contains values administrators can configure to replace incorrect DNS servers, disable Windows Update deferrals, and force enable BitLocker on non-TPM devices.

⚠️ Warning: Misconfigurations in the Registry can break system stability, introducing problems like boot issues and significant performance slowdown. (See ⚠️ Things to look out for.)

📌 Use Cases: Leverage PowerShell scripts to automate Registry configurations and deploy them consistently across endpoints using an RMM platform.

Assign a new DNS server using PowerShell scripts:

This script assigns a static DNS server system-wide, overriding any automatic DNS configurations. This forces the system to use the specified DNS in the Registry; however, GPO DNS enforcements will override this change.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "NameServer" -Value "8.8.8.8"

Disable Windows Update deferrals (if patching is blocked):

You can enable automatic updates in the Registry by setting the NoAutoUpdate DWORD value to 0. Use this script in environments where patching is blocked due to a misconfiguration or disabled by default.

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Value 0 -Type DWord

Enable BitLocker using Registry scripts:

This script enables BitLocker on devices, even older non-TPM machines, providing consistent encryption across an environment.

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "EnableBDEWithNoTPM" -Value 1 -Type DWord

💡 Note: Although you can enable BitLocker on non-TPM devices, you’ll need alternative protectors like startup passwords and USB keys.

Method 7: Use GPO for centralized remediation script deployment

📌 Use Cases: Administrators can deploy a GPO to configure DNS server assignments, Windows Update installation, and BitLocker configurations centrally using scripts.

📌 Prerequisites:

• Access to the Group Policy Management Console (gpmc.msc)
• Domain admin privileges

⚠️ Important: Test configurations locally before deploying them across an environment. (See ⚠️ Things to look out for.)

1. Press Win + R, type Notepad, and press Enter.
2. Choose the appropriate script in this guide to fix your DNS, patching, or BitLocker issues.
3. Paste the script inside Notepad, press Ctrl + Shift + S, name it, then add an extension.
   • Add .ps1 if it’s a PowerShell script (e.g., DNS-powershell.ps1).
   • Add .bat if it’s a batch script (e.g., patching-batch.BAT).
4. Press the drop-down beside Save as type, then select All files.
5. Open the Group Policy Management Console.
6. Find and right-click your target OU, then choose Create a GPO in this domain, and Link it here….
7. Right-click the newly created GPO and choose Edit.
8. Go to:

Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)

9. Double-click Startup, click Add, then browse and select your script from the network share.
10. Additionally, if using .ps1 scripts, navigate the following path:

Computer Configuration > Policies > Administrative Templates > System > Scripts

11. Set the Specify startup script execution policy to Allow all scripts.

💡 Tip: You can deploy the following PowerShell script to your target endpoints to instantly apply configurations:

gpupdate /force

⚠️ Things to look out for

Key considerations when using remediation scripts via RMM

This section will discuss key considerations you should remember when leveraging scripts to resolve DNS, patching, and BitLocker issues.

Security considerations

When using BitLocker, store recovery keys inside an Active Directory and observe local storage practices at a minimum. Additionally, enforcing public DNS servers like 8.8.8.8 is only ideal for general use, but shouldn’t be utilized in high-compliance environments.

Logging for auditing and easy rollback

Logs record the configurations made by scripts, writing down changes in a log file for easy documentation and validation. Regularly logging changes helps troubleshoot bad configurations and provides an easy-to-view reference for rollback strategies.

Breaking continuous scripts into short, modular scripts

Although it’s easy to combine scripts that resolve multiple issues, it’s good practice to separate scripts into smaller ones. This allows for focused remediation while minimizing the risk of accidental misconfiguration of working system features.

Troubleshooting common issues during script deployment

Issue #1: Scripts are not executing properly when deployed via RMM

Scripts may fail due to insufficient RMM agent permissions. That said, ensure the script executes as SYSTEM or with elevated privileges, especially when modifying registry keys and values.

On the other hand, some systems block unsigned scripts, such as scripts downloaded from untrusted sources. You can temporarily allow scripts to run in the current session by adding the following command to your PowerShell scripts:

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force

Issue #2: BitLocker is not enabled after script execution

Before executing a script, verify your target device’s TPM status by opening an elevated PowerShell prompt and entering Get-Tpm. If TPM is present, check for enforced BitLocker GPOs that may conflict with the configuration. Additionally, when configuring non-TPM devices, you can use scripts to enable BitLocker through the Registry.

Issue #3: Patch remediation scripts silently fail after execution

To resolve this issue, ensure the device has internet access and can reach the WSUS server. Additionally, check for GPOs that may block Windows Update, then restart the Windows Update Agent and trigger an update scan.

NinjaOne services for deploying remediation scripts on endpoints

With NinjaOne, MSPs can operationalize and scale auto-remediation with full transparency and control. Below are the services you can use to streamline the deployment of remediation scripts for DNS, patching, and BitLocker issues.

Remediate issues at scale by deploying scripts through an RMM

Automating custom scripts using an RMM platform provides consistent remediation of DNS failures, patching issues, and BitLocker misconfigurations at scale. You can use the provided modular scripts for focused remediation of specific issues, or combine them for broad implementation. Deploy scripts through RMMs, like NinjaOne, to allow alert-based triggers and script scheduling, automating issue remediation, script deployment, and auditing.

Related topics:

• How to Remotely Manage BitLocker Disk Encryption Using PowerShell
• Guide for MSPs: How to Use an RMM Platform
• Mastering DNS Cache Management: Flush DNS with PowerShell
• How to Automate Vulnerability Management
• NinjaOne Automated Script Mastery for Streamlined IT Operations