{"id":3146,"date":"2026-02-20T10:49:04","date_gmt":"2026-02-20T10:49:04","guid":{"rendered":"https:\/\/zecurit.com\/help\/endpoint-management\/remote-script-execution\/script-best-practices\/"},"modified":"2026-02-20T11:21:47","modified_gmt":"2026-02-20T11:21:47","slug":"script-best-practices","status":"publish","type":"docs","link":"https:\/\/zecurit.com\/help\/endpoint-management\/remote-script-execution\/script-best-practices\/","title":{"rendered":"Best Practices for Scripts in Zecurit"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Overview<\/h2>\n\n\n\n<p>Writing and deploying reliable automation scripts requires more than just working code. This page covers best practices for using Zecurit&#8217;s built-in tools \u2014 including the inline script editor, pre-built Script Hub templates, and third-party script imports \u2014 along with operational guidelines that keep your script library secure, maintainable, and effective.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Use the Built-In Script Editor<\/h2>\n\n\n\n<p>Zecurit&#8217;s console includes an inline code editor you can access directly during script creation (<strong>Scripts Repository \u2192 Add Script \u2192 Write a Script<\/strong>). Using the editor offers several advantages over always uploading external files:<\/p>\n\n\n\n<p><strong>When to use the editor:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Writing quick ad-hoc diagnostic or remediation scripts<\/li>\n\n\n\n<li>Creating parameterized template scripts that rely on runtime arguments<\/li>\n\n\n\n<li>Making minor edits to existing scripts without downloading\/re-uploading<\/li>\n<\/ul>\n\n\n\n<p><strong>Editor tips:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Paste well-tested code into the editor rather than writing from scratch for complex scripts.<\/li>\n\n\n\n<li>Use the <strong>Script Arguments<\/strong> field to pass variables (directory paths, usernames, threshold values) so the same script logic works across different scenarios without code changes.<\/li>\n\n\n\n<li>Always set a meaningful <strong>Exit Code<\/strong> \u2014 don&#8217;t rely only on <code>0<\/code>. If your script has partial success states (e.g., Windows Update restart pending = exit code <code>3010<\/code>), add them as comma-separated success codes so Zecurit accurately reports execution status.<\/li>\n\n\n\n<li>Add a comment block at the top of every script that includes: script name, author, date created, purpose, expected runtime, and any prerequisites or dependencies.<\/li>\n<\/ul>\n\n\n\n<p><strong>Example PowerShell header comment block:<\/strong><\/p>\n\n\n\n<p>powershell<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># ============================================================\n# Script Name  : WIN-Cleanup-TempFiles-Weekly.ps1\n# Author       : IT Admin\n# Created      : 2026-02-20\n# Purpose      : Removes %TEMP% and browser cache files\n# Platform     : Windows 10\/11\n# Run As       : System\n# Exit Codes   : 0 = Success, 1 = Partial failure\n# Est. Runtime : 2\u20135 minutes\n# ============================================================<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">2. Start with Zecurit Script Hub Templates<\/h2>\n\n\n\n<p>Before writing a script from scratch, check <strong><a href=\"https:\/\/zecurit.com\/script-hub\/\">Zecurit Script Hub<\/a><\/strong> &#8211; a free library of 100+ pre-tested script templates built specifically for common sysadmin and IT automation tasks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What&#8217;s Available in Script Hub<\/h3>\n\n\n\n<p>Script Hub templates are organized by category:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Category<\/th><th>Example Scripts<\/th><\/tr><\/thead><tbody><tr><td><strong>System Maintenance<\/strong><\/td><td>Disk cleanup, log rotation, temp file removal, registry optimization<\/td><\/tr><tr><td><strong>Security &amp; Compliance<\/strong><\/td><td>Firewall rule configuration, BitLocker status check, security audit, password policy enforcement<\/td><\/tr><tr><td><strong>Software Management<\/strong><\/td><td>App deployment, silent uninstall, dependency check, license validation<\/td><\/tr><tr><td><strong>User Management<\/strong><\/td><td>Account provisioning, group assignment, offboarding automation<\/td><\/tr><tr><td><strong>Monitoring &amp; Reporting<\/strong><\/td><td>System health check, hardware inventory, performance metrics<\/td><\/tr><tr><td><strong>Patch Management<\/strong><\/td><td>Windows Update triggers, driver updates, patch verification<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">How to Use Script Hub Templates in Zecurit<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Visit <a href=\"https:\/\/zecurit.com\/script-hub\/\">zecurit.com\/script-hub<\/a>.<\/li>\n\n\n\n<li>Browse or search for the script you need.<\/li>\n\n\n\n<li>Copy the script code (or download the file if available).<\/li>\n\n\n\n<li>In Zecurit, go to <strong>Scripts Repository \u2192 Add Script<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Write a Script<\/strong>, paste the code, fill in the name, description, platform, and tags.<\/li>\n\n\n\n<li>Click <strong>Add<\/strong> to save to your repository.<\/li>\n<\/ol>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Recommended starting scripts from Script Hub:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/zecurit.com\/script-hub\/disk-space-cleanup-powershell-script\/\">Disk Space Cleanup PowerShell Script<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/zecurit.com\/script-hub\/windows-firewall-configuration\/\">Windows Firewall Configuration Script<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/zecurit.com\/script-hub\/powershell-hardware-inventory-script\/\">PowerShell Hardware &amp; Software Inventory Script<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/zecurit.com\/script-hub\/application-deployment-powershell-script\/\">Application Deployment PowerShell Script<\/a><\/li>\n<\/ul>\n<\/blockquote>\n\n\n\n<p>Script Hub templates are maintained and tested against current OS versions. Starting from a hub template is almost always faster and safer than writing from scratch.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Importing Third-Party Scripts<\/h2>\n\n\n\n<p>Zecurit supports importing scripts from external sources, internal script repositories, GitHub, vendor toolkits, or community resources. The <strong>Upload<\/strong> option in the Add Script dialog accepts any supported file type.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Steps to Import a Third-Party Script<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Download or save the script file to your local machine.<\/li>\n\n\n\n<li>Go to <strong>Scripts Repository \u2192 Add Script \u2192 Upload<\/strong>.<\/li>\n\n\n\n<li>Select the file from your local filesystem.<\/li>\n\n\n\n<li>Review and update <strong>Script Name<\/strong>, <strong>Description<\/strong>, and <strong>Tags<\/strong>.<\/li>\n\n\n\n<li>Confirm the correct <strong>Platform<\/strong> is selected.<\/li>\n\n\n\n<li>Adjust <strong>Exit Codes<\/strong> if the third-party script uses non-standard success codes.<\/li>\n\n\n\n<li>Click <strong>Add<\/strong>.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">What to Review Before Importing Third-Party Scripts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Read the full script code.<\/strong> Never upload or execute unreviewed code on production endpoints. Even trusted sources occasionally introduce bugs or breaking changes.<\/li>\n\n\n\n<li><strong>Check for hardcoded credentials.<\/strong> Replace any hardcoded usernames, passwords, or API keys with parameterized runtime arguments.<\/li>\n\n\n\n<li><strong>Validate exit codes.<\/strong> Third-party scripts may use custom exit codes that differ from Zecurit&#8217;s default (<code>0<\/code> = success). Update the exit code field to match the script&#8217;s actual success codes.<\/li>\n\n\n\n<li><strong>Test in a non-production group first.<\/strong> Create a test device group (e.g., <code>TEST-Windows-Sandbox<\/code>) and run the script there before deploying to production devices.<\/li>\n\n\n\n<li><strong>Check platform compatibility.<\/strong> Confirm the script targets the correct OS version and that any referenced paths, registry keys, or API calls are valid for your environment.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4. Script Organization Best Practices<\/h2>\n\n\n\n<p>A well-organized repository makes it easy to find, reuse, and audit scripts across your team.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Naming Conventions<\/h3>\n\n\n\n<p>Use a consistent naming scheme that encodes platform, action, and context:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;PLATFORM]-&#91;Action]-&#91;Target\/Scope]<\/code><\/pre>\n\n\n\n<p>Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>WIN-Cleanup-TempFiles<\/code><\/li>\n\n\n\n<li><code>WIN-Security-FirewallConfig<\/code><\/li>\n\n\n\n<li><code>MAC-Brightness-Increase<\/code><\/li>\n\n\n\n<li><code>LIN-Audit-UserAccounts<\/code><\/li>\n\n\n\n<li><code>WIN-Patch-KB5000001<\/code><\/li>\n<\/ul>\n\n\n\n<p>Avoid generic names like <code>test<\/code>, <code>script1<\/code>, or <code>new script<\/code>. These become impossible to manage as your repository grows.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tagging Strategy<\/h3>\n\n\n\n<p>Assign at minimum one tag from each of these dimensions:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Dimension<\/th><th>Example Tags<\/th><\/tr><\/thead><tbody><tr><td><strong>Function<\/strong><\/td><td><code>cleanup<\/code>, <code>patching<\/code>, <code>security<\/code>, <code>monitoring<\/code>, <code>onboarding<\/code><\/td><\/tr><tr><td><strong>Frequency<\/strong><\/td><td><code>scheduled<\/code>, <code>on-demand<\/code>, <code>on-boot<\/code>, <code>weekly<\/code>, <code>monthly<\/code><\/td><\/tr><tr><td><strong>Privilege<\/strong><\/td><td><code>system<\/code>, <code>user-context<\/code>, <code>admin<\/code><\/td><\/tr><tr><td><strong>Status<\/strong><\/td><td><code>production<\/code>, <code>test<\/code>, <code>deprecated<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Descriptions Are Required for Shared Teams<\/h3>\n\n\n\n<p>Every script that will be used by more than one person should have a description. At minimum include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What the script does<\/li>\n\n\n\n<li>What it changes or deletes<\/li>\n\n\n\n<li>Any prerequisites (software, permissions, connectivity)<\/li>\n\n\n\n<li>Expected execution time<\/li>\n\n\n\n<li>Known limitations or edge cases<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Test Before Production Deployment<\/h2>\n\n\n\n<p><strong>Always test scripts in isolation before deploying to production devices.<\/strong><\/p>\n\n\n\n<p><strong>Recommended testing workflow:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create a dedicated device group called <code>TEST-Sandbox<\/code> containing 1\u20132 representative test machines for each platform.<\/li>\n\n\n\n<li>Associate all new scripts to this group first via a test Deployment Policy.<\/li>\n\n\n\n<li>Review execution output (device \u2192 <strong>Deployments<\/strong> tab \u2192 click deployment name).<\/li>\n\n\n\n<li>Verify the script achieves the intended result and exits with the expected code.<\/li>\n\n\n\n<li>Only after successful testing: associate the policy to production device groups.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">6. Credential and Security Guidelines<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Never embed passwords, API keys, or tokens directly in script code.<\/strong> Use runtime arguments to pass sensitive values, and protect those values through your credential management practices.<\/li>\n\n\n\n<li><strong>Use System context only when necessary.<\/strong> Many tasks can run in Logged-in User or Run as User context with fewer privileges. Minimize SYSTEM context usage to reduce blast radius if a script has unintended effects.<\/li>\n\n\n\n<li><strong>Audit your script library quarterly.<\/strong> Remove outdated or unused scripts. Review scripts with broad system-level access for continued necessity.<\/li>\n\n\n\n<li><strong>Document privilege requirements<\/strong> in each script&#8217;s description field so reviewers understand the access level and can flag inappropriate privilege requests.<\/li>\n\n\n\n<li><strong>For scripts managing Windows Updates or security tools<\/strong>, consider enabling <strong>Retry After Reboot<\/strong> in the Deployment Policy to handle scenarios where the script needs to re-run after a mandatory restart.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Scheduling Best Practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Run maintenance scripts during off-hours<\/strong> (2:00 AM \u2013 5:00 AM local time) to avoid user impact.<\/li>\n\n\n\n<li><strong>Stagger large deployments<\/strong> \u2014 if targeting 1,000+ devices, create multiple policies with different start times to avoid simultaneous load on network and server.<\/li>\n\n\n\n<li><strong>Use Execute at Every Startup<\/strong> only for truly stateless scripts that are safe to run repeatedly (e.g., security baseline checks, health collectors). Avoid it for one-time installation or migration scripts.<\/li>\n\n\n\n<li><strong>Set appropriate retry counts.<\/strong> For transient network failures, 1\u20132 retries at 15-minute intervals is sufficient. For scripts that depend on external resources (internet, shared drives), increase retry interval to 30\u201360 minutes.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">8. Monitoring and Alerting<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enable Capture Script Output<\/strong> for all non-trivial scripts. Output logs are your primary troubleshooting resource when deployments fail.<\/li>\n\n\n\n<li><strong>Enable Notifications<\/strong> in the Deployment Policy if the script performs critical operations. Administrator alerts ensure failures don&#8217;t go undetected.<\/li>\n\n\n\n<li><strong>Review the Deployments tab<\/strong> on individual devices regularly \u2014 especially for policies targeting critical infrastructure.<\/li>\n\n\n\n<li><strong>Track version numbers.<\/strong> If you update a script in the repository, verify that the new version is pushed to all associated devices by comparing <strong>Version<\/strong> vs. <strong>Distributed Version<\/strong> in the device Deployments view.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Quick Reference: Script Creation Checklist<\/h2>\n\n\n\n<p>Before saving any script to the repository, verify:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Script has a descriptive name following your naming convention<\/li>\n\n\n\n<li>Description field explains purpose, prerequisites, and expected runtime<\/li>\n\n\n\n<li>Correct <strong>Platform<\/strong> is selected<\/li>\n\n\n\n<li><strong>Exit Codes<\/strong> reflect all success states the script may return<\/li>\n\n\n\n<li><strong>Arguments<\/strong> are defined if the script accepts runtime parameters<\/li>\n\n\n\n<li>Tags are applied (function, frequency, privilege level)<\/li>\n\n\n\n<li>Script code has been reviewed for hardcoded credentials<\/li>\n\n\n\n<li>Script has been tested in a sandbox device group before production use<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Related<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Script Repository \u2192<\/li>\n\n\n\n<li>Deployment Policy for Scripts \u2192<\/li>\n\n\n\n<li>Associate Policy to Devices\/Groups \u2192<\/li>\n\n\n\n<li><a href=\"https:\/\/zecurit.com\/script-hub\/\">Zecurit Script Hub<\/a><\/li>\n<\/ul>\n","protected":false},"featured_media":0,"parent":3019,"menu_order":1,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[],"class_list":["post-3146","docs","type-docs","status-publish","hentry"],"comment_count":0,"_links":{"self":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/comments?post=3146"}],"version-history":[{"count":2,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3146\/revisions"}],"predecessor-version":[{"id":3156,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3146\/revisions\/3156"}],"up":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3019"}],"prev":[{"title":"Script Repository","link":"https:\/\/zecurit.com\/help\/endpoint-management\/remote-script-execution\/script-repository\/","href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/3143"}],"wp:attachment":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/media?parent=3146"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/doc_tag?post=3146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}