Get-ExchangeCertificate Blank Output: Fix It in 5 Steps

According to Microsoft Support, certificate-based signing of PowerShell serialization payloads was introduced as an opt-in feature in the January 2023 Exchange Security Update, then made enabled by default starting with the November 2023 Exchange Server Security Update. That shift turned a configuration choice into an infrastructure dependency.

The Microsoft Exchange Team Blog explicitly warns that disabling serialized payload signing leaves Exchange Server exposed to known vulnerabilities and weakens protection against unknown threats. Leaving it disabled is not a safe workaround. The correct fix is restoring a valid Auth certificate.

If Serialized Payload signing were disabled, a corrupt or absent Auth certificate would still allow Get-ExchangeCertificate to return data. The blank result is specifically tied to the combination of both conditions.

As Microsoft Learn documents, all Exchange servers - except Edge Transport and Management Tools-only servers - must have access to a valid, non-expired Exchange Auth certificate for this feature to function correctly.

What Does the Blank Output Actually Look Like?

After signing in to the Exchange Admin Center and confirming certificates appear healthy there, running the cmdlet in Exchange Management Shell (EMS) produces only empty column headers:

Get-ExchangeCertificate

Instead of certificate data, you see:

Thumbprint        Services  Subject
----------        --------  -------

This blank result appears on every Exchange Mailbox server in the organization. In the reference environment, both EX01-2019 and EX02-2019 showed identical empty output. When we reproduced this on Exchange 2019 CU14, the -1 day(s) validity reading appeared immediately after the November 2023 SU was applied to a server whose Auth certificate had already lapsed.

The Exchange Admin Center shows certificates as healthy because it queries a different data path - the EAC and EMS do not always reflect the same certificate state during a signing failure.

Behavior Comparison: Serialized Payload Signing Enabled vs. Disabled

Keep signing enabled. Restoring the certificate is the right path.

Step 1: How Do You Download and Run the Auth Certificate Monitor?

Microsoft provides MonitorExchangeAuthCertificate.ps1 specifically for checking and renewing the Auth certificate. Download it and place it in C:\Scripts. Open an elevated EMS session on a Mailbox role server and run a read-only check first:

C:\Scripts\MonitorExchangeAuthCertificate.ps1

In our lab, a failed environment reported the current (expired) thumbprint, showed -1 day(s) validity, and listed every Mailbox server where the Auth certificate was actively missing. The script writes a detailed log to the AuthCertificateMonitoring folder under the Exchange logging path - check it before taking any renewal action.

You must be a member of the Organization Management role group and run this from an elevated EMS prompt on a Mailbox role server. Edge Transport and Tools-only servers will not work.

The Exchange Health Checker (maintained by Microsoft's CSS-Exchange team on GitHub) is a complementary tool worth running before and after this process to confirm overall certificate posture.

For a broader look at keeping your Auth certificate healthy over time, the step-by-step Exchange Auth certificate renewal guide covers the full lifecycle including scheduled monitoring.

Step 2: How Do You Renew the Exchange Auth Certificate?

Once the monitoring script confirms the Auth certificate must be replaced, run the renewal command. The -IgnoreHybridConfig $true switch allows the script to proceed even when a hybrid environment is detected - you will update the Hybrid Configuration Wizard separately afterward.

C:\Scripts\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -IgnoreHybridConfig $true -Confirm:$false

A successful run reports the exact timestamp when the new certificate becomes active and reminds you to rerun the Hybrid Configuration Wizard. The MSExchangeServiceHost service restarts automatically during this process. You may see a brief warning about waiting for it to restart - that pause is expected and does not indicate a failure.

A known side-effect of an expired Exchange Auth certificate after the November 2023 SU, documented by the Microsoft Exchange Team Blog, is that the Queue Viewer crashes with a constraint error. Renewing the certificate via this script resolves that crash as well.

Step 3: Verify the New Auth Certificate Is Active

Run the monitoring script again without parameters to confirm renewal succeeded:

C:\Scripts\MonitorExchangeAuthCertificate.ps1

A healthy result shows the new thumbprint, a positive validity period (approximately 1826 day(s) for a freshly issued five-year certificate), and a test result of No renewal action is required. If the output still shows a problem, wait a few minutes and recheck - propagation across Mailbox servers takes a short time.

Step 4: Confirm Get-ExchangeCertificate Returns Data

With the Auth certificate valid and propagated, run the cmdlet again:

Get-ExchangeCertificate

You should now see a populated table that includes the new Auth certificate alongside other server certificates. The Auth certificate entry will look similar to:

Thumbprint                                 Services  Subject
----------                                 --------  -------
6789B2FE30740132E2DDBF147023E7485F476526  ....S..   CN=Microsoft Exchange Server Auth Certificate
804F01FADE7DF2AA309277F6BD0F96CF4B3C9B62  IP.WS..   CN=EX02-2019

If the output is still blank, wait and retry. The certificate can take up to 24 hours to become fully active. Do not attempt workarounds during that window - the propagation timer is genuine.

Step 5: Rerun the Hybrid Configuration Wizard and Validate Health

For hybrid Exchange deployments, rerun the Hybrid Configuration Wizard (HCW) from the Microsoft download page as soon as the new certificate is confirmed active. Skipping this step leaves hybrid connectors referencing stale certificate metadata, which breaks hybrid mail flow authentication.

Afterward, validate certificate posture across all Exchange servers using the Exchange Health Checker:

Get-ExchangeServer | Where-Object { $_.AdminDisplayVersion -Match "^Version 15" } | .\HealthChecker.ps1
.\HealthChecker.ps1 -BuildHtmlServersReport -HtmlReportFile "ExchangeAllServersReport.html"
Start-Process .\ExchangeAllServersReport.html

Directly after certificate installation, Health Checker may report all certificate statuses as Unknown. Re-run it after 24 hours - statuses should then display as Valid.

If you want to harden your Exchange environment further after resolving this, the guide on protecting Exchange OWA from brute force attacks with reCAPTCHA covers a complementary layer of defense for internet-facing Exchange servers.

What If the Steps Above Do Not Fix It?

A few edge cases can block the fix even after following all five steps:

• Confirm the script ran on a Mailbox role server, not an Edge Transport or Tools-only machine - silent failures are common on the wrong server type.
• Verify the account holds Organization Management permissions - insufficient rights cause the script to exit without renewing.
• Check the log at C:\Program Files\Microsoft\Exchange Server\V15\Logging\AuthCertificateMonitoring\ for specific error messages before retrying.
• If the certificate shows valid in the monitoring script but Get-ExchangeCertificate is still blank, verify the November 2023 or later Exchange Security Update was applied cleanly. A partial update can leave Serialized Payload signing in an inconsistent state.
• Restart MSExchangeServiceHost manually if the script did not trigger an automatic restart, then retest.

Once the Auth certificate is confirmed healthy, it is worth checking your broader patch posture. The Verizon 2025 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector grew 34% year-over-year, now accounting for 20% of all breaches. On-premises Exchange has been a consistent target - CISA added a Microsoft Exchange cross-site scripting vulnerability to its Known Exploited Vulnerabilities catalog in May 2026, requiring federal agencies to remediate within days. Keeping your Auth certificate valid is one part of a broader patching discipline.

For organizations managing hybrid identity, the PowerShell guide to migrating distribution groups to Microsoft 365 covers post-certificate-renewal tasks that often arise in hybrid scenarios.