Note: For the purpose of this KB article, 
The original SMP Server name is: itms-smp-4.example.local. 
Internal valid original SMP Server name alias: itms-smp-4.us-west.example.internal. 
Original server name when the new SMP Server was built: temporal-na-smp873

Logs entries like these ones are noticed on your NS and Agent logs:

Entry 1:

Calling NS server endpoint 'HTTPS://itms-smp-4.example.local:443/Altiris/NS/Agent/GetClientPolicies.aspx', ID: {32FB5E6D-4E8B-4965-9E4F-9642A99A95E6}
-----------------------------------------------------------------------------------------------------
Date: 2/28/2025 2:36:10 PM, Tick Count: 10252296 (02:50:52.2960000), Size: 375 B
Process: AeXNSAgent.exe (4736), Thread ID: 2780, Module: AeXNSAgent.exe
Priority: 4, Source: Agent

Entry 2:

Operation 'Direct: Connect' failed. 
Url: HTTPS://itms-smp-4.example.local:443/Altiris/NS/Agent/GetClientPolicies.aspx 
Connection path: 2 - Direct: [10.0.36.134] -> itms-smp-4.us-west.example.internal. [10.0.36.125:443] 
Communication profile id: {AF812EE7-xxxxxxxxxxxxx} 
Throttling: 0 0 0 
Connecton stage: Server connect 
Error type: TLS handshake error 
Error code: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider (0x800B0109) 
Error note: 'itms-smp-4.example.internal' server's certificate is not valid, the error was in certificate 0 of chain 0 (1 chains in total). 
    Chain 0, 1 certificates: 
    0 (end) *: Trust status: 20.10C, Issued to: temporal-na-smp873, Issued by: temporal-na-smp873, Thumbprint: c3 ec 4a xxxxxxxxxxxxxxx 
Server SSL connection info: 
   Server certificate: 
      Serial number: 00 8a 10 xxxxxxxxxxxx 
      Thumbprint: c3 ec 4a xxxxxxxxxxxxxx 
   Client certificate: 
      Serial number: N/A 
      Thumbprint: N/A 
   Cryptographic protocol: TLS 1.3 
   Cipher suite: TLS_AES_256_GCM_SHA384 
   Cipher algorithm: AES 
   Cipher key length: 256 
   Hash algorithm:  
   Hash length: 0 
   Key exchange algorithm:  
   Key length: 0 
Client SSL attributes for server connection: 
   Client certificate: 
      Serial number: N/A 
      Thumbprint: N/A 
   Cryptographic protocol: TLS 1.0, 1.1, 1.2, 1.3
Connection path id: e196f54ef6e7e57105048996e8a62402ddfe3f81
-----------------------------------------------------------------------------------------------------
Date: 2/28/2025 2:36:10 PM, Tick Count: 10252343 (02:50:52.3430000), Size: 1.83 KB
Process: AeXNSAgent.exe (4736), Thread ID: 2780, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation

Entry 3:

Policy request failed, COM error: 'itms-smp-4.us-west.example.internal' server's certificate is not valid, the error was in certificate 0 of chain 0 (1 chains in total). 
    Chain 0, 1 certificates: 
    0 (end) *: Trust status: 20.10C, Issued to: temporal-na-smp873, Issued by: temporal-na-smp873, Thumbprint: c3 ec 4a xxxxxxxxxx (0x800B0109)
-----------------------------------------------------------------------------------------------------
Date: 2/28/2025 2:36:10 PM, Tick Count: 10252343 (02:50:52.3430000), Size: 624 B
Process: AeXNSAgent.exe (4736), Thread ID: 2780, Module: AeXNSAgent.exe
Priority: 1, Source: ConfigServer

Entry 4:

_com_error exception: 'itms-smp-4.us-west.example.internal' server's certificate is not valid, the error was in certificate 0 of chain 0 (1 chains in total). 
    Chain 0, 1 certificates: 
    0 (end) *: Trust status: 20.10C, Issued to: temporal-na-smp873, Issued by: temporal-na-smp873, Thumbprint: c3 ec 4a xxxxxxxxxx. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider (0x800B0109)
-----------------------------------------------------------------------------------------------------
Date: 2/28/2025 2:36:16 PM, Tick Count: 10257703 (02:50:57.7030000), Size: 750 B
Process: AeXNSAgent.exe (4736), Thread ID: 2780, Module: AeXNSAgent.exe
Priority: 2, Source: AeXClient::raw_ImportConnectionProfile

Entry 5:

Failed to download profile '{AF812EE7-xxxxxxxxxxxxxx}', error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider (0x800B0109)
-----------------------------------------------------------------------------------------------------
Date: 2/28/2025 2:36:16 PM, Tick Count: 10257703 (02:50:57.7030000), Size: 437 B
Process: AeXNSAgent.exe (4736), Thread ID: 2780, Module: AeXNSAgent.exe
Priority: 2, Source: ConnectionProfile

ITMS 8.7.x

After migrating the original SMP Server "Notification Server Configuration" file, the customer forgot to assign the original SMP Server certificate to port 443 binding in IIS Manager.
OR, the customer didn't "restore" the "NS Web Configuration" and/or "NS CA Configuration" 

Open IIS Manager and check that the correct certificate is bound to the correct port on the SMP Server Default website. 

Note:
Or make sure that the certificate that IIS is using is part of the Agent Communication Profile so the client machines can validate its connections properly.

In this particular example, Port 443 had the original certificate when the server was build (in this example temporal-na-smp873) assigned under the "Default Website" binding. It was causing a certificate validation issue since this certificate was not part of the Agent Communication Profile that the Symantec Management Agent was aware of before the migration.

The proper and expected certificate in use for port 443 binding should be the original SMP Server certificate (the one for this example is itms-smp-4.example.local)

The logs will have something like this:

Operation 'Direct: Connect' failed. 
Url: HTTPS://itms-smp-4.example.local:443/Altiris/NS/Agent/GetClientPolicies.aspx 
Connection path: 2 - Direct: [10.0.36.134] -> itms-smp-4.us-west.example.internal. [10.0.36.125:443] 
Communication profile id: {AF812EE7-xxxxxxxxxxxxx} 
Throttling: 0 0 0 
Connecton stage: Server connect 
Error type: TLS handshake error 
Error code: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider (0x800B0109) 
Error note: 'itms-smp-4.example.internal' server's certificate is not valid, the error was in certificate 0 of chain 0 (1 chains in total). 
    Chain 0, 1 certificates: 
    0 (end) *: Trust status: 20.10C, Issued to: temporal-na-smp873, Issued by: temporal-na-smp873, Thumbprint: c3 ec 4a xxxxxxxxxxxxxxx 

which should tell you what "server name" certificate is trying from the agent side:

Error note: 'itms-smp-4.example.local' server's certificate is not valid, the error was in certificate 0 of chain 0 (1 chains in total). 

but under the same message should tell you what response got as their expected certificate:

    Chain 0, 1 certificates: 
    0 (end) *: Trust status: 20.10C, Issued to: temporal-na-smp873, Issued by: temporal-na-smp873, Thumbprint: c3 ec 4a xxxxxxxxxxxxxxx 

In this example, the agent is trying to use a certificate for 'itms-smp-4.example.local' but the SMP Server binding was expecting to validate the connection with a certificate Issued to: temporal-na-smp873


You can confirm that the agent has the right reference on its agent communication profile (by clicking on the Communication Profile link in the Agent UI):

As well, you can confirm what certificate seems to be in use/expecting (by clicking on "View Notification Server certificate" link in the Agent UI):