Test-ArcEsuChain

1.0.1

Runs a comprehensive set of read-only checks on an Arc-enabled Windows Server
2012 / 2012 R2 machine where the latest ESU security update installs, reboots,
then rolls back. It pinpoints WHICH of the known causes applies:

   * Missing / untrusted certificate in the license signing chain
   * Certificate chain present but REVOCATION cannot be checked
     (CRL/OCSP
Runs a comprehensive set of read-only checks on an Arc-enabled Windows Server
2012 / 2012 R2 machine where the latest ESU security update installs, reboots,
then rolls back. It pinpoints WHICH of the known causes applies:

   * Missing / untrusted certificate in the license signing chain
   * Certificate chain present but REVOCATION cannot be checked
     (CRL/OCSP endpoint blocked by a proxy/firewall - e.g. Zscaler)
   * Old agent / missing Servicing Stack Update
   * License file / himds problems
   * Clock skew, blocked cert-download endpoint, root auto-update disabled

The script only READS state (plus harmless network GETs). It changes nothing.

Show more

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Script -Name Test-ArcEsuChain -RequiredVersion 1.0.1

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2026 Petar Ivanov. All rights reserved.

Package Details

Author(s)

  • Petar Ivanov

Tags

Azure Arc ESU ExtendedSecurityUpdates WindowsServer2012 Certificate Revocation CRL OCSP Troubleshooting Diagnostics

Functions

Write-Section Add-Finding Test-IsElevated New-ZipFromDir Test-Endpoint Test-CertInStore

Dependencies

This script has no dependencies.

Release Notes

1.0.1 - CBS log scan now classifies each ESU rollback signature by recency: occurrences in the
last 24h are reported as FAIL ("recent"), older ones as INFO ("historical - likely a previous
attempt"), so a healthy machine is no longer flagged by stale entries from an earlier attempt.
The scan was also consolidated into a single combined-regex pass instead of one pass per signature.
1.0.0 - Initial release. Diagnoses the Azure Arc-enabled ESU "The chain does not seem valid"
patch-rollback issue on Windows Server 2012 / 2012 R2: certificate chain build (with and
without revocation), required certificate stores, endpoint reachability with proxy-block
detection, revocation cache, certutil verify, CBS log signatures, and an optional -CollectZip
diagnostic bundle. Read-only.

FileList

Version History

Version Downloads Last updated
1.0.2 4 6/24/2026
1.0.1 (current version) 3 6/24/2026
1.0.0 4 6/24/2026