Reassigning a Configuration Manager Client Across Hierarchies

[Today's post comes to us from Carol Bailey]

When you reassign a Configuration Manager client from one hierarchy to another, the client already has a trusted root key from its original hierarchy. Reassigning the client to a new hierarchy means that the client will also be assigned to a new management point. When both the trusted root key and the management point changes, by default, the client will become unmanaged. In this scenario, the Advanced Client component will send the status message ID 10822 to the site, with a description that it encountered a certificate for a management point that it could not verify. Additionally, the client log file Locationservices.log will display the following error: The trusted key, mp certificate and the mp machine have changed on server. The client cannot validate the authentication information.

If you want to just reassign a client to a new hierarchy without reinstalling it, you have two options:

• Pre-provision the client with the trusted root key for the new hierarchy, using one of the procedures in the topic How to Pre-Provision the Trusted Root Key on Clients. This is the recommend method because it is more secure.
• Remove the trusted root key from client, using the procedure in the topic How to Remove the Trusted Root Key.

Alternatively, when you reassign the client, you can also reinstall it by using a method that includes the trusted root key.  For example:

• Client push, which automatically includes the trusted root key without your having to specify it.
• CCMSetup and include the option SMSPublicRootKey or SMSROOTKEYPATH. For more information, see About Configuration Manager Client Installation Properties.

--Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.