Share This:

This question has come up a few times:  How can I remove the patch payloads from a patch repository that were downloaded but will likely not be used again ?  You can't just delete the underlying file off the file system because TSSA still has it flagged as downloaded and if you happen to need the patch again (maybe you are patching a newly provisioned system), you will get errors because TSSA can't find the patch file.


This script solves that problem for Windows catalogs.  It uses the DATE_CREATED property value (when the patch was added to the catalog) to find old patches whose payload exists on the repository file system, determines if the patch object has no dependencies, deletes the file, and then resets the downloaded flag to no.  If the patch is needed in the future, it will be re-downloaded.  The script will not run against: offline catalogs, catalogs with Download from Vendor checked, or catalogs that share a repository location with other catalogs in the same TSSA environment.  This should not be run against a TSSA environment that shares the catalog location with another TSSA environment.


Standard disclaimer: not supported, may not work for you, may cause small fires, don't test this in production.


Basic usage:

 nsh removeOldPatchesFromCatalog.nsh -P defaultProfile -R BLAdmins -c "<full path to catalog>"  -r <retention in days >


 nsh removeOldPatchesFromCatalog.nsh -P defaultProfile -R BLAdmins -c "/Workspace/Patch Catalogs/Windows 2019"  -r 30


Will remove patches 30 days or older from the /Workspace/Patch Catalogs/Windows 2019 catalog.


The retention value should be longer than your patch cycle.  If it normally takes you about a month to patch all your servers, then use a retention value of 45 to 60 days.


Feedback is welcome.