After our machines are imaged we wait for the plug-ins to install and they never do.
After a few hours the Software Update Plugins still aren't installing and I confirmed that the software update plugin install policy is on and running every hour. The machines that are missing the plug-ins are listed in the policy as needing the plug-in but it never successfully installs.
In the Symantec Management Agent our machines are getting many errors/warnings including the following:
Failed to send basic inventory, COM error: Cannot send event, the computer has not been registered on the server (0x80042B01)
NS web site certificate is missing from the responce, CEM certificates request added to queue and is waiting for approval
Failed to receive CEM certificates from https://<SMPserver>.example.com:443/altiris/NS/Agent/GetClientCertificateMig.aspx?Encrypted=1 in direct mode, error: The data is invalid (0x8007000D)
Configure Server Mode: CEM mode was not initialized successfully, will retry
Failed to register agent. Registration status 'Not registered'. Next retry in 15 min.
CTAgent::_ExecuteLocalTask(): CAtrsException exception, error: Agent is not initialized., OS error: The data necessary to complete this operation is not yet available (0x8000000A), at line 1146
Verified that the Communication Profiles (in the SMP Console) for the Notification Server and Site Server(s) were configured correctly for TLS and the certificates.
Verified the certificates in Certificate Manager (in the SMP Console) and everything looked correctly there.
Verified the configuration on a sample Sym Agent machine in the Sym Agent properties and in the logs and everything looked to be configured fine there.
When looking in IIS Manager under the Default Web Site and looked at the Bindings (either right-click "Edit Bindings ..." or in the right-pane under Edit Site select "Bindings ...) we found that the Site Binding for "https - port 443" was missing the SSL Certificate completely. Some how this had been removed.
Added the correct SSL Certificate to the Site Binding of "https - port 443" and then the Sym Agent machines could again download the needed plug-ins and function as needed.