Attempts to use a new install package from a separate group than the current group a machine is reporting to fail to move the machine to the group assigned to the install package.
This behavior is by design and is meant to prevent unauthorized changes.
Administrators can move machines via the SES cloud console by issuing a move command. The move command can be used to move multiple machines or single machines.
If a re-install over an already enrolled client happens, the client's existing hardware ID matches an existing device in the SES cloud database. It's by design that the device remains in its current group assignment, ignoring the default value in the installation package. The intended behavior for preexisting devices is that they will only move groups due to admin action in the cloud console.
For more information on comparison to the on-premise SEP client behavior and possible workarounds please see the below article.A managed Endpoint Protection client will not change group or domain membership after some operations