![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 75%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Exchange | Hybrid management
The administration of a hybrid deployment that connects on-premises Exchange Server with Exchange Online, enabling seamless integration and centralized control.
In Exchange, once a certificate has been assigned to a service, that service checkbox in ECP can’t be cleared; the only supported action is to assign a different certificate to that service. The greyed‑out checkboxes you see are expected behavior.
Key points from the product behavior:
- Service assignments are one‑way in ECP/PowerShell
- After a certificate is assigned to a service, the assignment itself cannot be “removed” from that certificate.
- To stop using a certificate for a given service, assign another certificate to that service instead, then remove the old certificate if it’s no longer needed.
- This is explicitly documented: “Once you assign a certificate to a service, you can't remove the assignment. If you no longer want to use a certificate for a specific service, you need to assign another certificate to the service, and then remove the certificate that you don't want to use.”
- What this means for POP/IMAP in your scenario
- If POP and IMAP are still shown as selected for both the old and new certificates:
- Pick the certificate you actually want POP/IMAP to use (typically the new one).
- Ensure that certificate is assigned to POP and IMAP (which you’ve already done via PowerShell).
- For the old certificate, you will not be able to uncheck POP/IMAP; instead, remove the old certificate entirely once it is no longer in use by any other components (for example, not referenced by Send connectors via
TlsCertificateName).
- If POP and IMAP are still shown as selected for both the old and new certificates:
- Verifying and cleaning up via PowerShell
- Confirm which services each certificate is actually bound to:
Get-ExchangeCertificate | Format-List FriendlyName,Thumbprint,Services - If the old certificate is no longer needed for any service, remove it:
Remove-ExchangeCertificate -Thumbprint <old-cert-thumbprint> - If you get an error about Send connectors when removing a certificate, follow the documented process to clear and re‑set
TlsCertificateNameon the affected Send connectors, then remove the old certificate and re‑assignTlsCertificateNameto the new certificate.
- Confirm which services each certificate is actually bound to:
- POP/IMAP specific note
- For POP and IMAP, the certificate assignment is only part of the configuration. The FQDN that clients use is controlled by
Set-PopSettingsandSet-ImapSettings. Even if multiple certificates appear to have POP/IMAP checked, clients will use the certificate that matches the FQDN configured for those services.
- For POP and IMAP, the certificate assignment is only part of the configuration. The FQDN that clients use is controlled by
In summary, the greyed‑out checkboxes are by design. The supported way to “remove” POP/IMAP from a certificate is to:
- ensure another certificate is assigned and in use for those services, and then
- remove the old certificate from the server if it is no longer required.
References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 54%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)