Test-ArcEsuChain

1.0.2

Runs a comprehensive set of read-only checks on an Arc-enabled Windows Server
2012 / 2012 R2 machine where the latest ESU security update installs, reboots,
then rolls back. It pinpoints WHICH of the known causes applies:

   * Missing / untrusted certificate in the license signing chain
   * Certificate chain present but REVOCATION cannot be checked
     (CRL/OCSP
Runs a comprehensive set of read-only checks on an Arc-enabled Windows Server
2012 / 2012 R2 machine where the latest ESU security update installs, reboots,
then rolls back. It pinpoints WHICH of the known causes applies:

   * Missing / untrusted certificate in the license signing chain
   * Certificate chain present but REVOCATION cannot be checked
     (CRL/OCSP endpoint blocked by a proxy/firewall - e.g. Zscaler)
   * Old agent / missing Servicing Stack Update
   * License file / himds problems
   * Clock skew, blocked cert-download endpoint, root auto-update disabled

The script only READS state (plus harmless network GETs). It changes nothing.

Show more

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Script -Name Test-ArcEsuChain

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2026 Petar Ivanov. All rights reserved.

Package Details

Author(s)

  • Petar Ivanov

Tags

Azure Arc ESU ExtendedSecurityUpdates WindowsServer2012 Certificate Revocation CRL OCSP Troubleshooting Diagnostics

Functions

Write-Section Add-Finding Test-IsElevated New-ZipFromDir Test-Endpoint Test-CertInStore

Dependencies

This script has no dependencies.

Release Notes

1.0.2 - CBS rollback signatures are now reported as WARN (evidence), never FAIL. CBS entries are
historical by nature, so a hard FAIL was misleading - e.g. a rollback logged minutes before a fix
would still flag after re-running. Each signature is shown with its latest timestamp and hit count
so it can be correlated against the time of the fix / last attempt. The live verdict comes from the
chain build and endpoint checks, which reflect current state.
1.0.1 - CBS log scan classified ESU rollback signatures by recency and consolidated to a single
combined-regex pass. (Recency split superseded by 1.0.2.)
1.0.0 - Initial release. Diagnoses the Azure Arc-enabled ESU "The chain does not seem valid"
patch-rollback issue on Windows Server 2012 / 2012 R2: certificate chain build (with and
without revocation), required certificate stores, endpoint reachability with proxy-block
detection, revocation cache, certutil verify, CBS log signatures, and an optional -CollectZip
diagnostic bundle. Read-only.

FileList

Version History

Version Downloads Last updated
1.0.2 (current version) 4 6/24/2026
1.0.1 3 6/24/2026
1.0.0 4 6/24/2026