Can't remove AD CA role form W2012r2

Hi I'm in the process of migration form w2012r2 to W2022, and I have problem that I cant remove AD CA role.

Old Server W2012r2 have only AD, DNS and AD CA roles.

AD and DNS roles already migrated to the new server.

I am migrating AD CA with this manual:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/move-certification-authority-to-another-server

in the 5. Remove Certificate Services from the old server.

Server manager and PowerShell give the same error:

PS C:\Windows\system32> Remove-WindowsFeature -Name AD-Certificate

Success Restart Needed Exit Code      Feature Result

------- -------------- ---------      --------------

False   Maybe          Failed         {}

Remove-WindowsFeature : A prerequisite check for the AD-Certificate feature failed.

1. The status of the role services on the target machine cannot be determined. Please retry. The error is Failed to

open the runspace pool. The Server Manager WinRM plug-in might be corrupted or missing..

At line:1 char:1

• Remove-WindowsFeature -Name AD-Certificate

    + CategoryInfo          : InvalidOperation: (Active Directory Certificate Services:ServerComponentWrapper) [Uninst

   all-WindowsFeature], Exception

    + FullyQualifiedErrorId : Alteration_PrerequisiteCheck_Failed,Microsoft.Windows.ServerManager.Commands.RemoveWindo

   wsFeatureCommand

I reconfigured WinRM, with GPO, enable remote shell access, open FW ports, reconfigure WinRM listener etc. but still not able to remove AD CA role

PS C:\Windows\system32> winrm e winrm/config/listener

Listener

    Address = *

    Transport = HTTP

    Port = 5985

    Hostname

    Enabled = true

    URLPrefix = wsman

    CertificateThumbprint

    ListeningOn = 127.0.0.1, 192.168.1.11, ::1, fe80::5efe:192.168.1.11%13

PS C:\Windows\system32> Winrm id

IdentifyResponse

    ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd

    ProductVendor = Microsoft Corporation

    ProductVersion = OS: 6.3.9600 SP: 0.0 Stack: 3.0

    SecurityProfiles

        SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/basic, http://schemas.dmtf.org/

wbem/wsman/1/wsman/secprofile/http/spnego-kerberos

PS C:\Windows\system32> winrm get winrm/config

Config

    MaxEnvelopeSizekb = 500

    MaxTimeoutms = 60000

    MaxBatchItems = 32000

    MaxProviderRequests = 4294967295

    Client

        NetworkDelayms = 5000

        URLPrefix = wsman

        AllowUnencrypted = false

        Auth

            Basic = true

            Digest = true

            Kerberos = true

            Negotiate = true

            Certificate = true

            CredSSP = false

        DefaultPorts

            HTTP = 5985

            HTTPS = 5986

        TrustedHosts

    Service

        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

        MaxConcurrentOperations = 4294967295

        MaxConcurrentOperationsPerUser = 1500

        EnumerationTimeoutms = 240000

        MaxConnections = 300

        MaxPacketRetrievalTimeSeconds = 120

        AllowUnencrypted = true [Source="GPO"]

        Auth

            Basic = true [Source="GPO"]

            Kerberos = true

            Negotiate = true [Source="GPO"]

            Certificate = false

            CredSSP = false

            CbtHardeningLevel = Relaxed

        DefaultPorts

            HTTP = 5985

            HTTPS = 5986

        IPv4Filter = *

        IPv6Filter = *

        EnableCompatibilityHttpListener = false

        EnableCompatibilityHttpsListener = false

        CertificateThumbprint

        AllowRemoteAccess = true

    Winrs

        AllowRemoteShellAccess = true [Source="GPO"]

        IdleTimeout = 7200000

        MaxConcurrentUsers = 2147483647

        MaxShellRunTime = 2147483647

        MaxProcessesPerShell = 2147483647

        MaxMemoryPerShellMB = 2147483647

        MaxShellsPerUser = 2147483647

PS C:\Windows\system32> winrm get wmicimv2/Win32_Service?Name=WinRM

Win32_Service

    AcceptPause = false

    AcceptStop = true

    Caption = Windows Remote Management (WS-Management)

    CheckPoint = 0

    CreationClassName = Win32_Service

    Description = Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management.

WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service l

istens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a lis

tener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM se

rvice provides access to WMI data and enables event collection. Event collection and subscription to events require that

the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but i

s preconfigured to share a port with IIS on the same machine.  The WinRM service reserves the /wsman URL prefix. To prev

ent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix.

    DesktopInteract = false

    DisplayName = Windows Remote Management (WS-Management)

    ErrorControl = Normal

    ExitCode = 0

    InstallDate = null

    Name = WinRM

    PathName = C:\Windows\System32\svchost.exe -k NetworkService

    ProcessId = 928

    ServiceSpecificExitCode = 0

    ServiceType = Share Process

    Started = true

    StartMode = Auto

    StartName = NT AUTHORITY\NetworkService

    State = Running

    Status = OK

    SystemCreationClassName = Win32_ComputerSystem

    SystemName = MAIN

    TagId = 0

    WaitHint = 0