SCCM Servers showing their state as "Unknown"

I recently came across a unique issue where SCCM had not been reporting site status for its remote servers properly. This was actually caused by the site servers not having the rights to be able to access the registry keys set by the servers it's trying to query to find its status.

On remote SCCM servers, mainly those with SQL only installed as a site database role, registry keys that the SCCM CAS (Central Administration Site) relies on for the sake of monitoring the health of site systems is unable to be accessed.

The reason for this is that the SCCM CAS makes a connection to the remote server to the registry looking for keys in the remote site server under the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS. This is where the remote server keeps its status for the site system, rather than have the server do a health check.

The permissions to these keys are set correctly, as the local system account and the local administrators group of the server have full permission to this key (as is the default of SCCM).

What I found the issue to be in this case was that the right, "Network access: Remotely accessible registry paths and subpaths" . This is found in Computer Configuration / Windows Settings / Security Settings / Security Options. This setting was missing the entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS, which enables the site server to query the remote site for its current state.

Without setting this registry key, the Configuration Manager console will show site status “Unknown” instead of displaying proper site status. Below are two images depicting what a healthy and unhealthy site system look like. The top is obviously with registry access, the bottom is with it blocked.

Kind of a unique situation, and hoping this helps someone else.

— If you like my blogs, please share it on social media, rate it, and/or leave a comment. —