ConfigMgr “All instances of the objects that are related to the assigned security roles” Greyed Out

I came across an issue today where I couldn’t tick the box to automatically upgrade the ConfigMgr client on all devices after an SCCM upgrade. It turns out that to do so, you need to have the Assigned security scope setting of “All instances of the objects that are related to the assigned security roles”.

When trying to apply this to my account I worked out that the person that installed ConfigMgr has to change this permission. In my case, that person had left the business and their AD account had been deleted.

NOTE: Before proceeding, please ensure you understand what you are changing and that you have a backup of your database. Making this change is likely to void Microsoft support, so do so at your own risk.

I came across a post on the Microsoft forums that allowed you to change this from SQL directly by swapping the user account used to set up ConfigMgr with your own. To do so, run


You should be able to see your account and the one that was used to setup ConfigMgr. Using the ID in the first column, run the following SQL query, ensuring you change the 4 sections:
“new admin id”
“new logon name ie domain\username”
“new display name”
“old admin id”

DECLARE @Y varbinary(85)
SET @Y = (Select [AdminSID] from [dbo].[RBAC_Admins] WHERE [AdminID] = <new admin id>)
UPDATE [dbo].[RBAC_Admins] 
   SET [AdminSID] = CONVERT(varbinary(85), @Y, 1),
   [LogonName] = '<new logon name ie domain\username>',
   [DisplayName] = '<new display name>'
 WHERE [AdminID] = <old admin id>

It should look something like this:

DECLARE @Y varbinary(85)
SET @Y = (Select [AdminSID] from [dbo].[RBAC_Admins] WHERE [AdminID] = 1754545)
UPDATE [dbo].[RBAC_Admins] 
   SET [AdminSID] = CONVERT(varbinary(85), @Y, 1),
   [LogonName] = 'Domain\John.Smith',
   [DisplayName] = 'John Smith'
 WHERE [AdminID] = 175422