When you set a new CAS server, it publish a new ServiceConnectionPoint object in the Configuration part of the Active Directory. This SCP is used by Outlook to find the Autodiscover URL so it can configure itself.

In some case, this SCP will bring a popup in Outlook about a certificate issue as the fresh CAS don’t have yet a trusted certificate.

I found it useful to disable the SCP without deleting it, however Exchange don’t give any useful cmdlet. You can add a registry key on client to disable all the SCP lookup, but it is not really what we want ; you can delete the SCP, but that mean you will have to recreate it later.

I find it more elegant to remove the Read permission for Authenticated Users on the SCP, so Exchange server and administrators can still see and manage it, however normal user can’t read it.

Once you finish configure your CAS, you just need to add back the Read permission for Authenticated Users.