Having not looked at the SEPM console for a while, I failed to ntice that there were hardly any clients listed. Approximately 1000 were missing. Ooops. The upshot of this is that I discovered fixing this is a total pain. The problem began when I decided to load balance clients between our two management servers. However, I managed to do the following.
Make a typo in both of the server names
Enable SSL without an actual SSL cert

This took a long time to fix, mostly because I tried things suggested on forums before using my own brain. A lot of them suggested pushing out a new sylink.xml file to the clients to get them to update the server they conenct to. This had no effect. The file is never read from what I can tell. The registry entries didn’t change. I tried both of Symantec’s tools but after a few days of messing around with SCCM advertisements I gave in.

The simple solution for me, was to add a CNAME in DNS for the wrong server name, and point it to the correct one. Once they connected, they will pick up the new policy with the corrected server names. I also added the correct certificate in IIS on the SEPM server. I assumed it used its own server rather than IIS, but there we go.