Folder Clean Up

What the specified file cleanup Worklet does

This Automox Worklet™ removes targeted files and folders from Windows endpoints based on a path list and a file extension exclusion pattern. The Worklet reads four policy variables before each run. $targetFolders holds system-wide paths such as C:\Windows\Temp or C:\ProgramData\<vendor>\Logs. $userFolders holds per-profile paths such as AppData\Local\Temp and AppData\Local\Microsoft\Windows\INetCache. $exclude lists the file extensions the policy should leave alone. $forceDelete and $deleteEmpty control whether the Worklet removes whole directories or only their contents.

On every endpoint, the Worklet enumerates user profiles via Get-CimInstance Win32_UserProfile, expands each entry in $userFolders against every discovered profile, and walks each target with Get-ChildItem -Recurse. It applies the extension exclusion list and removes matching items with Remove-Item -Force. When $forceDelete is True, the Worklet removes the entire directory tree with Remove-Item -Recurse -Force, bypassing the exclusion list. When $deleteEmpty is True, a final pass removes any subdirectories that are left empty after the main deletion.

The evaluation script always returns exit code 1, flagging the endpoint non-compliant on every run so that remediation executes. The remediation script reports exit code 0 on success and a non-zero code on failure. Files locked by a running process will surface as errors during the Remove-Item call; the Worklet does not suppress per-file errors, so a locked file can cause the run to report failure while still completing cleanup on the remaining targets.

Why purge targeted files on a Windows fleet

Temporary files, browser caches, vendor log directories, MSI staging payloads, and crash dumps accumulate on Windows endpoints over time. A full C:\ volume blocks Windows Update from staging cumulative updates and breaks .NET runtime installers that need scratch space. Identifying which path is the offender on which endpoint, across a fleet of hundreds or thousands of machines, is not practical to do by hand.

Treating the offender directories as a recurring sweep solves this at scale. Listing the known temp, cache, and log paths in $targetFolders and $userFolders, then scheduling the policy on a daily or weekly cadence, drives the same Get-ChildItem and Remove-Item pass through every Windows endpoint. The next patch window does not stall on a single endpoint that is out of disk, and the Automox activity log shows which endpoints completed cleanup and which encountered errors.

How specified file cleanup works

1. Evaluation phase: The evaluation script always exits with code 1, flagging every endpoint as non-compliant so that the remediation phase runs on each scheduled cycle. There is no conditional path-scanning logic in evaluation - the policy is designed to run remediation unconditionally.

2. Remediation phase: The Worklet replays the same path resolution and filter logic and removes each matching file with Remove-Item -Force -ErrorAction SilentlyContinue. When the force-delete flag is set, the Worklet drops the entire directory with Remove-Item -Recurse -Force rather than deleting file by file. When the empty-directory cleanup flag is set, a final pass walks each target with Get-ChildItem -Recurse -Directory and removes any folder whose child count is zero. Files matching $exclude are preserved, and locked files are logged and skipped so a single in-use handle does not abort the run.

Specified file cleanup requirements

• Windows 8.1 or later, Windows 10, Windows 11, or Windows Server 2012 R2 and above

• PowerShell 3.0 or later, with execution policy that allows the Automox agent to run signed Worklet scripts

• Local administrator context (the default Automox agent service account) to delete files from C:\Windows\Temp, C:\ProgramData, and other user profiles

• $targetFolders set in the policy to the absolute paths the Worklet should evaluate, for example C:\Windows\Temp, C:\ProgramData\Microsoft\Windows\WER\ReportQueue, or a vendor-specific log directory

• $userFolders set to per-profile relative paths the Worklet should expand against every user, for example AppData\Local\Temp or AppData\Local\Microsoft\Windows\INetCache

• $exclude set to file extensions that should never be deleted, for example .ost, .pst, or .lnk, to protect mail caches and shortcut targets that legitimately live in user temp directories

• Optional age threshold (in days) for last-write filtering, useful when the policy should leave recently created files alone while clearing anything older than 7, 14, or 30 days

• Optional toggles for force-delete (remove whole folders rather than file contents) and empty-subdirectory cleanup after the main pass

Expected disk and file-system state after cleanup

After a successful run, every configured target on the endpoint contains only files the policy explicitly preserved through $exclude or the age threshold. Disk space previously held by stale temp files, MSI extraction folders, INetCache entries, vendor log rollovers, and crash dump payloads is returned to the volume's free space. On endpoints that were close to a full C:\ drive, Windows Update, .NET installers, and Defender definition updates can resume without manual intervention. The endpoint is reported compliant on the next evaluation because Get-ChildItem returns no matching items in the configured paths.

Validate the result with Get-PSDrive C, which reports current free space against the volume size. Then run Get-ChildItem -Path <target> -Recurse -Force -File on each $targetFolders entry; it should return only files inside the exclusion list or files newer than the age threshold. For audit evidence, capture the Worklet's stdout (it prints the file count and total bytes removed per path) and store it with the Automox policy run identifier. User applications and Windows services continue to operate normally. The Worklet skips files held by open handles and never touches HKLM registry hives, system binaries, or Group Policy artifacts that live outside the configured target list.