The Sym Agent installed using a CEM Sym Agent Install Package fails to communicate with the Notification Server (NS, SMP) although it successfully connects to Symantec Internet Gateway tunnel. An HTTP error 500.64 (Client certificate validation error) was seen in the SMP IIS logs along with the following:

Windows Event errors / warnings:
Error    01/09/2016 17:04:11    Schannel    36888    None
The following fatal alert was generated: 10. The internal error state is 1203.
+++++++
Warning    01/09/2016 17:02:02    Schannel    36885    None
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

ITMS 8.x

The SMP trusted root CA certificate store had more than 350 certificates, causing Windows to trim the list of CA certificates required for validating the CEM package's temporary client certificate.

Remove all extra and not required root CA certificates from the SMP trusted root CA certificate store.