After adding new certificates to Task Servers (TS), most clients were unable to register with the TS even though the certificates were added to the server's communication profile prior to the expiration of the old certificates. The clients had received the new certs and were attempting to use them but failing with the following error repeatedly.

The error indicated a failure to authenticate, not a failure due to an incorrect certificate thumbprint.

Operation 'Direct: Head' failed.
Protocol: HTTPS
Host: altiris-ss1.yourcompany.org:443
Path: /Altiris/ClientTaskServer/Register.aspx
Connection Id: 12.127512
Communication profile Id: {F7AAFC5D-8794-4296-924D-A702ACB7A929}
Throttling: 0 0 0
Error type: HTTP error
Error code: HTTP status 401: The request requires user authentication (0x8FA10191)
Error note: Authentication failed, server refused to authenticate with provided credentials
Server HTTPS connection info:
   Server certificate:
      Serial number: 00 9b 14 43 ba 93 12 a3 78 19 45 fe 33 85 2c f9 4d
      Thumbprint: 49 f6 35 72 55 3b a8 e4 97 00 3e 14 7a 8b 0e fe 4a b5 fc c9
   Cryptographic protocol: TLS 1.0
   Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
   Cipher algorithm: AES
   Cipher key length: 256
   Hash algorithm: SHA1
   Hash length: 160
   Key exchange algorithm: ECDH
   Key length: 384

All other Task Servers were allowing clients to connect to them using the new certificates. 

Release ITMS 8.5 RU3

Component: Agent Communication Profiles

In a very rare instance the Communication Profile for the Task Server had somehow become corrupted or incomplete. As a result it was not able to provide the account credentials that should have been cached--to the client computers to allow them to authenticate using a named account and not anonymously.

Stop the agent service on the problem Site/Task Server.

In the SMP console, under "Site Server Settings", select the problem Task Server and click on the "Install/Remove services" link.

1. Uncheck all services. Next.
2. Run the Delta Resource Membership Update schedule in Windows Task Scheduler, on the SMP server.
3. At this point the Communication Profile for the server should have been deleted from "Settings > Agents/Plug-ins > Symantec Management Agent > Symantec Management Agent Communication Profiles > Site Server Communication Profiles"
4. Go back into "Site Server Settings" page again and add the Site Server again and select the desired services.
5. Run the Delta Resource Membership Update schedule one more time and wait for it to be completed.
6. Start the agent service on the Site Server again. 

A new Profile will have been created which will function to provide the necessary instructions and credentials for accessing the site server.