We are about to change the DNS domain of the ZCM Primary servers (i.e. join the AD domain!)
This will result in new fqdn and hence requirement for a new CA, server certs, etc.

We can get the new CA out to devices via Group Policy, however we will have hundreds of devices that will probably not connect to the environment during the change (i.e. time between re-mint of First Primary and CA, which we'll move down in closest servers, and the re-mint of the other Primaries). We can allow a couple of days but there are lots of users that connect infrequently, plus the summer holidays...

So, to get these devices back we will need to reestablish-trust ('zac retr')

Two issues here:
a) we want to specify a user with the bare minimum of rights - the chances are the service desk guys will be talking users through this process on the phone (as ZCM will have lost control) so we need to establish what the minimum rights are (doc just states Zone Administrator)?
b) the process forces the person running the process to manually accept the certificate. Any way to 'force'/silently get this done?

Any thoughts or suggestions welcome