Might be worth TAC case, but in the meantime, here is an AI response.
You’re running into two common realities with Harmony Endpoint Posture / Patch Management on Windows:
- Those “Packages” are a local cache used by the Patch Management blade, and
- Harmony Endpoint self‑protection can block deletes under
C:\ProgramData\CheckPoint\... while the agent is running, which is why “old patch files” sometimes never get cleaned. [community….kpoint.com]
Below are practical (and safer) ways to clean up without breaking the agent, plus how to do it at scale with Push Operations.
⚠️ First: Don’t nuke the whole folder blindly
This command is effective, but it’s the “scorched earth” option:
Remove-Item -Path "C:\ProgramData\CheckPoint\Endpoint Security\Compliance\PatchManagement*" -Recurse -Force
Why it’s risky:
- It will delete everything, including packages that might still be needed for remediation/rollback or pending deployments.
- If Patch Mgmt still expects those files, endpoints may re-download them later (network hit) or show temporary errors.
Also, Remove-Item with -Recurse -Force really will delete folders/files aggressively (no recycle bin), so you want guardrails like -WhatIf during testing. [learn.microsoft.com]
✅ Recommended approach (safer): delete only old package files
A common pattern is “delete cache content older than X days”.
1) Test locally with -WhatIf first
$Root = "C:\ProgramData\CheckPoint\Endpoint Security\Compliance\PatchManagement\Packages"
$Days = 60
$Cutoff = (Get-Date).AddDays(-$Days)
Get-ChildItem -Path $Root -Recurse -File |
Where-Object { $_.LastWriteTime -lt $Cutoff } |
Remove-Item -Force -WhatIf
2) Then run for real (remove -WhatIf)
$Root = "C:\ProgramData\CheckPoint\Endpoint Security\Compliance\PatchManagement\Packages"
$Days = 60
$Cutoff = (Get-Date).AddDays(-$Days)
Get-ChildItem -Path $Root -Recurse -File |
Where-Object { $_.LastWriteTime -lt $Cutoff } |
Remove-Item -Force -ErrorAction SilentlyContinue
3) Optional: remove empty directories afterward
Get-ChildItem -Path $Root -Recurse -Directory |
Where-Object { @(Get-ChildItem $_.FullName -Force -ErrorAction SilentlyContinue).Count -eq 0 } |
Remove-Item -Force -Recurse -ErrorAction SilentlyContinue
🔒 The catch: Self‑Protection may block deletion
As you already observed, Harmony Endpoint can deny write/delete access in ProgramData while active due to self‑protection. [community….kpoint.com]
So the reliable workflow is:
- Temporarily Disable Self Protection (centrally)
- Delete cache files
- Re-enable Self Protection
Harmony Endpoint supports push operations including Enable/Disable Self Protection, Remote Command, and File Actions. [sc1.checkpoint.com]
🚀 How to delete across many endpoints using Push Operation
Option A (cleanest if available): File Actions push operation
If your tenant/version exposes it, use:
- Asset Management → Push Operations → Create operation
- Choose File Actions (available push operation) [sc1.checkpoint.com]
- Pick Delete
- Target path:\
C:\ProgramData\CheckPoint\Endpoint Security\Compliance\PatchManagement\Packages\
- Enable recursive deletion (if the UI offers it)
Pros: no PowerShell quoting issues, no script signing/execution policy hassles.\ Cons: may not support “older than X days” filtering—often it’s path-based delete only.
Option B (most flexible): Remote Command push operation (PowerShell)
Harmony includes a Remote Command push operation. [sc1.checkpoint.com]
Best practice here is to run PowerShell inline (so you avoid “-File path with spaces” issues).
Suggested Remote Command (inline)
Run this as the remote command:
powershell.exe -NoProfile -ExecutionPolicy Bypass -Command ^
"$Root='C:\ProgramData\CheckPoint\Endpoint Security\Compliance\PatchManagement\Packages'; ^
$Cutoff=(Get-Date).AddDays(-60); ^
Get-ChildItem $Root -Recurse -File | ? LastWriteTime -lt $Cutoff | Remove-Item -Force -ErrorAction SilentlyContinue"
Notes:
-ExecutionPolicy Bypass is commonly used to prevent script execution policy blocks in automation contexts. (Also frequently discussed by admins using Harmony PushOps.) [community….kpoint.com]- Inline
-Command avoids the quoting/space problems that happen when the portal auto-builds a -File "C:\Program Files (x86)\..." call. That exact pain shows up in the community thread. [community….kpoint.com]
✅ Recommended end-to-end runbook (at scale)
- Pilot on 1–3 endpoints (different OS builds if possible)
- PushOp: Disable Self Protection [sc1.checkpoint.com]
- PushOp: Remote Command (or File Actions) to delete cache
- PushOp: Enable Self Protection again [sc1.checkpoint.com]
- Monitor endpoints for:
- Patch Mgmt health (does it re-download packages?)
- Disk freed vs. disk re-consumed over time
A couple of quick questions (so I can tailor the safest cleanup)
- Are you using EPMaaS (Infinity Portal) or on‑prem SmartEndpoint/R81.x for Posture/Patch Management?
- Roughly how big is
...\Packages\ per endpoint (GB), and are files actively locked (Access Denied) when you try manually?
If you tell me that + your Harmony Endpoint client version (E87/E88/E89 etc.), I can suggest:
- the best retention window (30/60/90 days),
- whether “File Actions” is sufficient or Remote Command is necessary,
- and a version-specific workflow that minimizes re-download churn.
