There were several practices where we use host profile into our environment to get the compliance among all other ESXi host into the cluster.
There are mostly 3 types of status identified to the hostprofile which is attached to the ESXi host.
As you know when all the features and settings of host profile and ESXi meets perfectly then only status shows as Compliant status.
Not-compliance status shows when the hostpofile unable to meet the complete requirement on the host and some feature are missing.
Unknown status is the one which suspect even when you have ESXi host into the Compliance status or sometime could be in Not-compliant status.
There are several indentified cause for that.
Most of the time we found that all good from ESXi UI and hostprofile where all the parameters are meet successfully and even then host profile status shows as "UNKNOWN" status.
In my case i found one glitch where the dvs configuration was not sync completely in /etc/vmware/hostd/portgroup.gz under the ESXi host. Its states that the full mapping of dvportgroup to portgroupkey was missing.
To verify the correct mapping you can verify the portgroup.gz file from the ESXi host which shows host compliant status with ESXi host which shows hostprofile as "UNKNOWN" status.
To resolve this issue you can move all the DVS Switch/portgroup to Standard Switch and revert back all to the DVS where all the portgroup and portgroupkey mapping gets established properly into /etc/vmware/hostd/portgroup.gz of the ESXi host
which is showing unknown status. After completion, try to verify the host compliance check and you will find the host profile status moves to compliant successfully.
Second solution: If your ESXi host is running with 6.0 U1, then upgrade it to 6.0 u2 which is one of the solution.