>Also is there a way to launch the VPN automatically on startup?
Kinda. Check out the rasdial command.
Can you sort the DNS entries on when they were registered? The fastest solution might be to delete all the entries older than some timeframe you feel comfortable with.
If your patch system uses the "Windows Update" mechanism for deploying updates (like WSUS) you can use this powershell command to check for updates.
powershell "(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()"
Then you could add this to the machine startup (or user login). Then the machine will reach in for updates, rather than you having to push them.