Key points:
Remediation remediations cripts can automate troubleshooting and resolving issues with DNS misconfigurations, patch failures, and disabled BitLocker encryption.
- Using PowerShell for DNS issues: Resolve any DNS issues and log resolution results using the PowerShell commands below.
- Using batch commands for DNS issues: If you prefer not to use PowerShell, you can use batch scripts to fix DNS errors quickly.
- Using PowerShell to fix patching failures: Follow the script below to utilize the right PSWindowsUpdate module to identify, install, or retry missing updates or patches.
- Using batch commands for troubleshooting updates: Use the batch command below to quickly reset or update components and scan for pending or missed updates. Unlike PowerShell, however, a batch command can’t automatically install new updates.
- BitLocker recovery via PowerShell remediation scripts: Use the script below to automate checking encryption status, enabling BitLocker if disabled, and restoring backup recovery keys and log encryption data to maintain endpoint security.
- Registry scripts for DNS, patching, and BitLocker: You can edit the Windows Registry to fix DNS settings, disable update deferrals, and enable BitLocker on non-TPM devices.
- Using GPO to deployment scripts: Access the Group Policy Management Console to leverage GPO for automating troubleshooting and fixing DNS, patching, and Bitlocker issues.
DNS failures, failed Windows patches, and BitLocker misconfigurations can weaken an environment’s security posture. Automating the resolution of these issues using scripts improves mean-time-to-repair (MTTR), reducing the frequency of support tickets and downtime duration. This guide outlines remediation scripts administrators can deploy through a remote management and monitoring (RMM) software to resolve issues.
Remediation scripts to fix DNS, patching, and BitLocker issues
Using an RMM platform to deploy scripts minimizes manual, repetitive fixes, allowing administrators to centrally manage endpoints automatically. This helps them provide faster service delivery and instant issue remediation while keeping endpoints compliant with organizational or industry-wide requirements.
📌 Prerequisites:
- Access to an RMM platform.
- PowerShell 5.1 or later on target endpoints.
- Access to an admin account.
- Installed BitLocker and Windows Update features.
- Group Policy access for centralized deployment.
📌 Recommended deployment strategies:
💡 Note: The scripts in this guide work for RMM platforms that offer remote PowerShell and batch script deployment. For simplicity, we’ll use NinjeOne RMM as a deployment tool for our remediation scripts.
⚠️ Important: Do the following steps for methods 1-6 before proceeding:
NinjaOne’s RMM platform supports JavaScript, PowerShell, Batch, ShellScript, and VBS Script languages. Here’s how you can upload custom scripts inside NinjaOne’s script library:
- Open NinjaOne RMM, then go to:
Administration > Library > Automation.
- Inside Automation, press Add and select New Script.
- Complete the necessary fields and parameters for your custom script.
- Enter the provided scripts in this guide to save them as an automation script.
- Ensure that the selected language matches the script’s language.
- Once saved, you can use NinjaOne’s built-in tools to select the target devices for automation by selecting the checkbox beside them.
Method 1: Using PowerShell scripts to auto-remediate DNS issues
📌 Use Cases: Leverage PowerShell scripts to flush the DNS, replacing records of domain names and IP addresses with new ones. Administrators can also use PowerShell to restart the DNS client service to re-establish a connection with DNS servers.
⚠️ Important: DNS restarts only apply temporarily on a domain-joined environment with DNS configurations via GPO. (See ⚠️ Things to look out for.)
Remediation script to flush the DNS cache:
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses ("8.8.8.8","8.8.4.4")Clear-DnsClientCache
💡 Note: Not all devices use “Ethernet” as their default network adapter name, which can cause errors when deployed in bulk. You can use wildcard matching for script deployments on target devices with varying network adapter names.
Get-NetAdapter | Where-Object { $_.Status -eq "Up" } | ForEach-Object {Set-DnsClientServerAddress -InterfaceAlias $_.Name -ServerAddresses ("8.8.8.8", "8.8.4.4")}Clear-DnsClientCache
PowerShell script to restart the DNS client service:
Administrators can reset the DNS Client inside Services.msc, clearing the in-memory DNS cache while resetting the DNS resolver.
Restart-Service -Name dnscache
Script to log resolution test results
The following script tests if the DNS resolution is working, logging errors inside the Windows Event Log if it fails.
$test = Test-Connection google.com -Count 2 -Quietif (-not $test) {Write-EventLog -LogName Application -Source "DNSFix" -EventID 3001 -EntryType Warning -Message "DNS resolution failed after fix."}
💡 Tip: Administrators can schedule these scripts inside RMM platforms for regular DNS maintenance. If your RMM offers real-time alerts, you can automatically trigger these DNS remediation scripts based on alerts and logs.
Method 2: Leverage batch commands for DNS correction via CMD
📌 Use Case: Use the following batch script to flush the DNS cache, restart the client, set a server, and test the remediation in one go.
Basic DNS issue remediation using a batch script:
@echo offipconfig /flushdnsnet stop dnscachenet start dnscachenetsh interface ip set dns "Ethernet" static 8.8.8.8if not exist C:\Logs mkdir C:\Logsecho [%DATE% %TIME%] DNS test >> C:\Logs\dns_fix_result.txtnslookup google.com >> C:\Logs\dns_fix_result.txt
⚠️ Important: A hardcoded name like “Ethernet” can cause script failure if no matching adapter exists, as netsh requires exact names. (See ⚠️ Things to look out for.)
Method 3: PowerShell scripts to resolve patching failures
📌 Use Cases: Leverage the PowerShell scripts to force missed updates, reset update components, and log update results for error diagnosis.
Force recheck and install missing updates:
This script first installs and imports the required PSWindowsUpdate module, providing administrators with better control over update management. Afterwards, this scans and installs any pending updates, ensuring the target machines are up-to-date.
Install-Module PSWindowsUpdate -Force -AllowClobberImport-Module PSWindowsUpdateGet-WindowsUpdate -AcceptAll -Install -AutoReboot
PowerShell script to reset Windows Update components:
The following script stops the Windows Update Service (wuauserv). The script then deletes the SoftwareDistribution folder which contains cached updates and temporary files; that can potentially cause corruption or stuck updates. Use this script to resolve update failures after a corrupted download or to remediate stuck or slow update scans.
Stop-Service wuauservRemove-Item -Path "C:\Windows\SoftwareDistribution" -Recurse -ForceStart-Service wuauserv
Generating a log update summary using scripts:
Use the script below to collect diagnostic data post-update and to help centralize logging for easier error monitoring.
Get-WindowsUpdateLog -LogPath "C:\Logs\WindowsUpdateSummary.txt"
⚠️ Important: Ensure that C:\Logs exists before designating it as a log path. (See ⚠️ Things to look out for.)
Method 4: Run batch commands on CMD for update troubleshooting
📌 Use Case: The CMD can deploy batch commands that reset update components and trigger a scan.
Basic update fix batch script:
The following batch command allows for a quick reset of update components and scanning for pending or missed updates. However, unlike method 3, the CMD cannot automatically install updates. Users would need to manually updated their Windows systems.
@echo offnet stop wuauservrd /s /q C:\Windows\SoftwareDistributionnet start wuauservwuauclt /detectnow
💡 Tip: Set a policy condition in your RMM to trigger this script when the Last Installed Update exceeds a set number of days. This allows your managed endpoints to automatically scan for updates regularly and consistently.
Method 5: BitLocker recovery through PowerShell remediation scripts
Having BitLocker disabled on endpoints makes a device non-compliant and its data vulnerable to threats. That said, ensuring BitLocker protection is consistently enabled on all managed endpoints increases an organization’s security posture.
📌 Use Cases: Administrators can utilize scripts on their RMM to verify BitLocker status, backup recovery keys, check encryption status, and log it.
📌 Prerequisite: Devices with Trusted Platform Module (TPM)
Scripts to check and enable BitLocker if it’s missing:
This PowerShell script allows administrators to retrieve the BitLocker volume object from a specific drive, for example, it’s C:. Additionally, the script automatically enables BitLocker if it’s off without requiring end-user interaction.
$bitlocker = Get-BitLockerVolume -MountPoint "C:"if ($bitlocker.ProtectionStatus -eq "Off") {Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector}
💡 NOTE: -TpmProtector requires an available and ready TPM on the target device. Applying this to non-TPM devices will cause an error.
Export backup recovery key to the domain controller or locally:
The script below searches for the Recovery Password protector on a specified BitLocker volume. Afterward, the script backs up the recovery key to the domain controller or default storage. This ensures that BitLocker recovery is possible in case of a TPM reset or OS corruption.
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId ($bitlocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }).KeyProtectorId
Check and log BitLocker encryption status:
Administrators can use the script below to create a simple log record as local proof of a device’s encryption status.
$bitlocker | Select-Object MountPoint, VolumeType, ProtectionStatus, EncryptionPercentage | Out-File "C:\Logs\bitlocker_status.txt"
💡 Tip: Administrators can assign this script to automatically run on schedule or when BitLocker protection status is detected as Off.
Method 6: Registry method for DNS, patch, or BitLocker-related policies
The Registry contains values administrators can configure to replace incorrect DNS servers, disable Windows Update deferrals, and force enable BitLocker on non-TPM devices.
⚠️ Warning: Misconfigurations in the Registry can break system stability, introducing problems like boot issues and significant performance slowdown. (See ⚠️ Things to look out for.)
📌 Use Cases: Leverage PowerShell scripts to automate Registry configurations and deploy them consistently across endpoints using an RMM platform.
Assign a new DNS server using PowerShell scripts:
This script assigns a static DNS server system-wide, overriding any automatic DNS configurations. This forces the system to use the specified DNS in the Registry; however, GPO DNS enforcements will override this change.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "NameServer" -Value "8.8.8.8"
Disable Windows Update deferrals (if patching is blocked):
You can enable automatic updates in the Registry by setting the NoAutoUpdate DWORD value to 0. Use this script in environments where patching is blocked due to a misconfiguration or disabled by default.
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Force | Out-NullSet-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Value 0 -Type DWord
Enable BitLocker using Registry scripts:
This script enables BitLocker on devices, even older non-TPM machines, providing consistent encryption across an environment.
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Force | Out-NullSet-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "EnableBDEWithNoTPM" -Value 1 -Type DWord
💡 Note: Although you can enable BitLocker on non-TPM devices, you’ll need alternative protectors like startup passwords and USB keys.
Method 7: Use GPO for centralized remediation script deployment
📌 Use Cases: Administrators can deploy a GPO to configure DNS server assignments, Windows Update installation, and BitLocker configurations centrally using scripts.
📌 Prerequisites:
- Access to the Group Policy Management Console (gpmc.msc)
- Domain admin privileges
⚠️ Important: Test configurations locally before deploying them across an environment. (See ⚠️ Things to look out for.)
- Press Win + R, type Notepad, and press Enter.
- Choose the appropriate script in this guide to fix your DNS, patching, or BitLocker issues.
- Paste the script inside Notepad, press Ctrl + Shift + S, name it, then add an extension.
- Add .ps1 if it’s a PowerShell script (e.g., DNS-powershell.ps1).
- Add .bat if it’s a batch script (e.g., patching-batch.BAT).
- Press the drop-down beside Save as type, then select All files.
- Open the Group Policy Management Console.
- Find and right-click your target OU, then choose Create a GPO in this domain, and Link it here….
- Right-click the newly created GPO and choose Edit.
- Go to:
Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)
- Double-click Startup, click Add, then browse and select your script from the network share.
- Additionally, if using .ps1 scripts, navigate the following path:
Computer Configuration > Policies > Administrative Templates > System > Scripts
- Set the Specify startup script execution policy to Allow all scripts.
💡 Tip: You can deploy the following PowerShell script to your target endpoints to instantly apply configurations:
gpupdate /force
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Applying custom configurations on GPO-managed devices | GPO overrides changes on enforced configurations after a scheduled policy update. | It’s best practice to only script over non-GPO-enforced settings unless you intend to override them temporarily. |
| Network adapters are not named “Ethernet” by default. | Some scripts hardcode network adapter names as Ethernet; however, this name isn’t the default for all adapters, causing script failure. | You can rename network adapters in your environment to use a consistent name, improving the effectiveness of hardcoded scripts. |
| C:\Logs doesn’t exist before specifying it as a log path. | Not creating C:\Logs before designating it as a log path will cause an error. | Create the target folder and ensure it exists in the specified path before assigning it as a log path. |
| Misconfigurations in the Registry | Misconfiguring the Registry can lead to system instability and sluggish performance. | Create a Windows Registry backup before proceeding to ensure easy recovery in case of accidental misconfigurations. |
| Deploying untested scripts across an environment | Not all environments are identical, so scripts may behave differently across managed systems. | Test configurations locally to validate their effectiveness before deploying them across an environment. |
Key considerations when using remediation scripts via RMM
This section will discuss key considerations you should remember when leveraging scripts to resolve DNS, patching, and BitLocker issues.
Security considerations
When using BitLocker, store recovery keys inside an Active Directory and observe local storage practices at a minimum. Additionally, enforcing public DNS servers like 8.8.8.8 is only ideal for general use, but shouldn’t be utilized in high-compliance environments.
Logging for auditing and easy rollback
Logs record the configurations made by scripts, writing down changes in a log file for easy documentation and validation. Regularly logging changes helps troubleshoot bad configurations and provides an easy-to-view reference for rollback strategies.
Breaking continuous scripts into short, modular scripts
Although it’s easy to combine scripts that resolve multiple issues, it’s good practice to separate scripts into smaller ones. This allows for focused remediation while minimizing the risk of accidental misconfiguration of working system features.
Quick-Start Guide
NinjaOne offers robust scripting capabilities for creating custom RMM scripts that can address DNS, patching, and BitLocker issues automatically. Here are some specific scripts that can help:
DNS-related Scripts
- Clear DNS Cache: script for macOS
- Search DNS Cache Entries: script to find specific DNS records
- Search DNS Cache Entries Linux for Linux systems
Patching Scripts
- Windows Patch Management with ring deployment capabilities
- Suspend BitLocker script to temporarily suspend BitLocker protection during patching
- Patch Intelligence AI Approval Overrides for intelligent patch management
BitLocker-related Scripts
Suspend BitLocker script that can:
- Suspend BitLocker Protection until the next restart
- Optionally restart the computer once suspended
Additional Helpful Scripts
- Update Group Policy (gpupdate) to ensure system policies are current
- Enable or Disable Windows Firewall
- Set Minimum Password Requirements
NinjaOne Automation Library provides a comprehensive set of scripts that can be customized and automated to address various system management tasks, including DNS, patching, and BitLocker issues.
Troubleshooting common issues during script deployment
Issue #1: Scripts are not executing properly when deployed via RMM
A common reason for scripts not being running properly can be attributed to insufficient RMM agent permissions. Ensure that you have administrator-level access before running any scripts, especially when modifying registry keys and values.
On the other hand, some systems block unsigned scripts, such as scripts downloaded from untrusted sources. You can temporarily allow scripts to run in the current session by adding the following command to your PowerShell scripts:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
Issue #2: BitLocker is not enabled after script execution
Before executing a script, verify your target device’s TPM status by opening an elevated PowerShell prompt and entering Get-Tpm. If TPM is present, check for enforced BitLocker GPOs that may conflict with the configuration. Additionally, when configuring non-TPM devices, you can use scripts to enable BitLocker through the Registry.
Issue #3: Patch remediation scripts silently fail after execution
To resolve this issue, ensure the device has internet access and can reach the WSUS server. Additionally, check for GPOs that may block Windows Update, then restart the Windows Update Agent and trigger an update scan.
NinjaOne services for deploying remediation scripts on endpoints
With NinjaOne, MSPs can operationalize and scale auto-remediation with full transparency and control. Below are the services you can use to streamline the deployment of remediation scripts for DNS, patching, and BitLocker issues.
| NinjaOne service | Definition | How it helps script deployment |
| Policy scheduled tasks | NinjaOne supports effortless task scheduling, allowing for automated script execution within specified time intervals. | Administrators can schedule the deployment of DNS, patching, and BitLocker remediation scripts for periodic maintenance. |
| Automated alert response | Alert-based triggers allow RMMs to execute remediation actions whenever a specific alert appears on an endpoint. | Automatically deploy remediation scripts after an alert has been triggered, reducing the need for manual intervention and MTTR. |
| Template deployment | Template deployments enable administrators to target specific device groups, preventing the misapplication of scripts on incompatible devices. | Administrators can assign a specialized BitLocker script for non-TPM devices, while applying standard scripts for TPM devices. |
| Inventory visibility | NinjaOne’s comprehensive inventory provides a detailed view of endpoints, all within the platform’s dashboard. | View DNS settings, Windows Update history, and BitLocker status to streamline diagnostics and improve response time. |
Remediate issues at scale by deploying scripts through an RMM
Automating custom scripts using an RMM platform provides consistent remediation of DNS failures, patching issues, and BitLocker misconfigurations at scale. You can use the provided modular scripts for focused remediation of specific issues, or combine them for broad implementation. Deploy scripts through RMMs, like NinjaOne, to allow alert-based triggers and script scheduling, automating issue remediation, script deployment, and auditing.
Related topics:
