Windows - Configuration - Add Host File Entry

What the Windows hosts file enforcer does

This Automox Worklet™ writes a custom name-resolution entry to the Windows hosts file so a specific hostname resolves to a chosen IP address on the endpoint regardless of upstream DNS. The Worklet runs as the Automox agent in SYSTEM context, scans %WINDIR%\System32\drivers\etc\hosts for the configured hostname, and appends the IP-and-hostname pair when the hostname is not present. Endpoints where the entry already exists exit without writing, so the Worklet is safe to schedule on a recurring policy.

Both the evaluation and remediation scripts use the $hosttoadd variable to identify the target hostname and the remediation script uses the $address variable to set the IP. Edit those two values at the top of each script before deploying the policy. To manage multiple hosts, duplicate the Worklet per entry or wrap the logic in a ForEach loop over your own list.

The match is a substring check, not a strict line match. Any existing line that contains the target hostname satisfies the evaluation, even when the IP differs. That makes the Worklet idempotent for fresh installs and safe to rerun, but it also means changing the IP on an entry that already exists requires removing the old line first.

Why enforce hosts file entries from Automox

The Windows hosts file is the lowest-friction name-resolution override the OS provides. It bypasses upstream DNS, ignores split-horizon configurations, and persists across reboots and network changes. Operations teams use it to pin an internal service to a known IP during a DNS migration, to block a malicious domain by resolving it to 127.0.0.1, or to route a hostname to a staging environment for a test cohort.

A documented hosts file override only matters when every Windows endpoint actually carries it. Apply this Worklet through your DNS-cutover or domain-block policy so the same IP-and-hostname pair reaches workstations, servers, and remote endpoints from a single source. The next scheduled evaluation reasserts the entry after image refreshes, OEM tooling, or a user with local admin removes the line.

How the hosts file enforcement works

1. Evaluation phase: The Worklet runs Select-String against $env:windir\System32\drivers\etc\hosts with -Pattern set to $hosttoadd, -SimpleMatch to treat the value as a literal substring, and -Quiet to return a boolean. If the hostname is found anywhere in the file the script exits 0 and the endpoint is reported compliant. If the hostname is absent the script exits 1 and the endpoint is flagged for remediation.

2. Remediation phase: The remediation script repeats the Select-String check, then calls Add-Content on the hosts file with -Value "`n$address`t$hosttoadd" -Force to append a tab-separated IP-and-hostname line. A try/catch block returns exit 0 on a successful write and exit 1 if the write is blocked (for example, by a tamper-protection product). No DNS cache flush is performed; clients pick up the new entry on the next lookup after the resolver TTL expires or after a manual ipconfig /flushdns.

Hosts file enforcement requirements

• Windows 10, Windows 11, or Windows Server 2016 and later with PowerShell 5.1 available

• SYSTEM or local administrator context for the Automox agent (the default agent context satisfies this) to write to %WINDIR%\System32\drivers\etc\hosts

• Edit the $hosttoadd variable in both evaluation.ps1 and remediation.ps1 to the target hostname, and edit the $address variable in remediation.ps1 to the target IP, before importing the Worklet

• Awareness that tamper-protection and EDR products often monitor the hosts file as a high-fidelity exfiltration signal; whitelist the Automox agent in those products before scheduling the policy to avoid false-positive quarantine actions

• A documented rollback procedure (manually remove the appended line, or run a companion Worklet that deletes it) so an admin can recover the previous behavior on a specific endpoint without disabling the policy fleet-wide

Expected hosts file state after enforcement

After successful remediation, the hosts file at %WINDIR%\System32\drivers\etc\hosts contains a new line in the form $address`t$hosttoadd appended to the end. Subsequent Automox policy runs find the hostname via Select-String and report the endpoint as compliant without rewriting the file. If the line is later removed by an installer, a feature update, or a local admin, the next evaluation flags the endpoint and the remediation script appends the entry again.

Validate by running Resolve-DnsName or nslookup against the configured hostname on a remediated endpoint and confirming the IP matches the hosts file entry. If the lookup still returns the upstream DNS result, run ipconfig /flushdns to clear the resolver cache and retry. A regression where the hosts entry disappears between runs almost always means an endpoint protection product reverted the file; whitelist the Automox agent in that product and rerun the Worklet.