Many Client machines are not being able to get a task server to be assigned to.
1. When the client machine tries to contact the SMP in order to get the Task Server list, it receives the following error:

Operation 'Direct: Head' failed.
Protocol: HTTPS
Host: smp.Example.com:443
Path: /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx
Connection Id: 30.3904
Communication profile Id: {xxxxxxxx-5E78-46B2-87CC-3FCCA718D219}
Error type: HTTP error
Error code: HTTP status 401: The request requires user authentication
(0x8FA10191)
Error note: Authentication: Failed. Server refused to authenticate with
provided credentials.
 

Operation 'Direct: Head' failed.
Protocol: HTTPS
Host: smp.Example.com:443
Path: /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx
Connection Id: 30.3904
Communication profile Id: {xxxxxxxx-5E78-46B2-87CC-3FCCA718D219}
Error type: HTTP error
Error code: HTTP status 401: The request requires user authentication (0x8FA10191)
Error note: Authentication: Failed. Server refused to authenticate with provided credentials.
Server HTTPS connection info:
Server certificate:
Serial number: xx xx xx xx be 0f 6f 85 43 66 21 d3 66 fc c5 e1
Thumbprint: xx xx xx xx aa ee 4a 0a 82 1c ea db 5c a2 e1 34 bd b7 f2 c6
Cryptographic protocol: TLS 1.0
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
Cipher algorithm: AES
Cipher key length: 256
Hash algorithm: SHA1
Hash length: 160
Key exchange algorithm: ECDH_P256
Key length: 256
------------------------------------------------------------------------------
-----------------------
Date: 8/20/2018 2:06:23 PM, Tick Count: 4944763 (01:22:24.7630000), Size: 1.13 KB
Process: AeXNSAgent.exe (3904), Thread ID: 4088, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation

Operation 'Direct: Head' failed.
Protocol: HTTPS
Host: smp.Example.com:443
Path: /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx
Connection Id: 30.3904
Communication profile Id: {xxxxxxxx-5E78-46B2-87CC-3FCCA718D219}
Error type: HTTP error
Error code: HTTP status 401: The request requires user authentication (0x8FA10191)
Error note: Empty response content received
Server HTTPS connection info:
Server certificate:
Serial number: xx xx xx xx be 0f 6f 85 43 66 21 d3 66 fc c5 e1
Thumbprint: xx xx xx xx aa ee 4a 0a 82 1c ea db 5c a2 e1 34 bd b7 f2 c6
Cryptographic protocol: TLS 1.0
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
Cipher algorithm: AES
Cipher key length: 256
Hash algorithm: SHA1
Hash length: 160
Key exchange algorithm: ECDH_P256
Key length: 256
------------------------------------------------------------------------------
-----------------------
Date: 8/20/2018 2:06:23 PM, Tick Count: 4944763 (01:22:24.7630000),  Size: 1.08 KB
Process: AeXNSAgent.exe (3904), Thread ID: 4088, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation

Failed to call web interface by url
[https://smp.Example.com:443/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?shares=1&resourceGuid=xxxxxxxx-0a6e-4da2-996a-12ae22017d8d&crc=0008000100001863],
error [0x80042D21, IDispatch error #11041].
------------------------------------------------------------------------------
-----------------------
Date: 8/20/2018 2:06:23 PM, Tick Count: 4944763 (01:22:24.7630000), Size: 499 B
Process: AeXNSAgent.exe (3904), Thread ID: 4088, Module: client task agent.dll
Priority: 2, Source: Client Task Agent

ITMS 8.x

The customer added some IP address restrictions in his AD.  The customer mentioned that the configuration called "Log On To" (sometimes people may call it "Connect To" setting)  was the one that they setup to block the SMP user account to be used on few specific machines, like the SMP and the Site Server.

See related references:

http://woshub.com/restrict-workstation-logon-ad-users/

https://ravingroo.com/267/active-directory-user-workstation-logon-restriction/

Remove the affecting AD configuration that was blocking the SMP user account. In this case the AD configuration called "Log On To".

After they removed that configuration, we were able to get all machine on their environment working without issue.

Also make sure the Symantec Management Agent, and also the Task Service is upgraded on the Site Servers.  If you've upgraded recently, the Task Servers need to be upgraded.

NOTE: If you want to limit the 'Log-On to' option of Service Account to only NS and CMDB and not other servers, make sure to create another Agent Connectivity Credential (ACC) using the KB 194234. After using this article and using another ACC rather than AppID for agent connectivity, you may limit the Log-On option of the AppID.