SCCM Microsoft RAP Real-World Tips for IT Pros Configuration Manager | Endpoint Manager MEMCM? Microsoft RAP preparation for SCCM CB infrastructure was an interesting new experience for me.
In this post, I will provide tips for having a successful and effective SCCM MS RAP data collection in the Real World.
I recommend running the MS RAP for SCCM from your top-most site in the hierarchy. If you have an SCCM hierarchy, then perform SCCM MS RAP from the CAS server or any device connected to the same domain.
Another post about ConfigMgr SCCM Microsoft RAP Results Real-World Tips for SCCM Admins here.
What is SCCM Microsoft RAP?
RAP is the Risk Assessment Program run by Microsoft’s premier support organization. SCCM MS RAP is a specific risk assessment program to identify SCCM-related issues/risks in your hierarchy or primary site.
High-level steps to complete SCCM RAP successfully
Review prerequisites on your Tools machine
It’s very important to understand the RAP Agent’s prerequisites and identify the machine (the tool machine) which you want to run the tool.
The account you plan to use to run the RAP agent should have Full SCCM Admin, SQL SYS admin, and Local Admin access on all SCCM site servers and site system servers.
It’s not recommended to run the RAP agent from the SCCM site server (CAS or Primary). But, this is not a blocking point. You should be able to run the SCCM RAP agent from CAS or the Primary server.
As per Microsoft, the tool should run on any machine in the same domain as SCCM primary server or CAS.
There is some software prerequisite also for the RAP tool. Also, it’s important to run/launch the tool with “Administrator” access. Otherwise, you may get some issues like the below.
Some useful log files for the access denied errors of the RAP tool – “Unable to find the required information about your environment”.
C:\Users\Documents\RaaS\Logs\ and C:\Users\Documents\RaaS\Tracking\
Collect data from your SCCM environment
Collecting data is THE MOST important step in the SCCM RAP process. The collection of data is going to take 3-4 hours depending on the size of your environment. I would recommend avoiding collecting data from SCCM DPs when you have 100s of DPs.
When your remote MPs/SUPs are in an untrusted forest, then the RAP agent can’t connect to those remote SCCM site systems. You have an option to skip those remote site systems in remote untrusted forests or DMZ.
Submit the SCCM RAP data to Microsoft Premier Services
There are two ways to submit the collected SCCM environment data from your environment to Microsoft services. You can submit the data from the Tool machine to Microsoft services, which is the recommended method. Another way to upload the data is via an offline procedure.
Take the Questionnaire about your IT environment
Taking the questionnaire as part of the RAP program is also one of the important steps. This would give a better idea of the processes, and best practices followed in your environment. Based on your answer to the RAP questionnaire, Microsoft will suggest the best practices we need to follow for a better environment.
Quick tips on the ports and Connectivity Required for RAP Tool
1. Make sure you input the correct Target Server Name in the RAP Tool. This should be your SCCM Server – primary or CAS server.
2. Test the connectivity from the Collection Machine to the SQL Instance hosting the SCCM database: Use SQL Server Management Studio (SSMS) to connect to the SQL instance hosting the SCCM database using Windows Authentication Mode.
3. Firewall configuration (Hardware and Windows Firewalls) required between the Tool Machine and SCCM site servers (Primary or CAS)/ MPs/SUPs/DPs
Port + Protocol Notes
TCP 135 RPC Endpoint Mapper
TCP 1024—65535 Dynamic Ports used by RPC/DCOM/WMI
TCP 139 NetBIOS session service /SMB
TCP 445 SMB over sockets/TCP
TCP 1433 Default SQL Instance Port (if you have a custom port, please make a rule for it)
UDP 137 NetBIOS name service
UDP 138 NetBIOS
UDP 1434 SQL Browser
4. Check and ensure no third-party firewall software is installed or antivirus software with built-in firewall functionality. You will need to disable the antivirus software.
References
RAP as a Service Documentation – PDF-Datasheet and Prerequisites for SCCM RAP – here
RAP as a Service (RaaS) from Microsoft Services Premier Support – Here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
Thanks for this, I was invited to a meeting on this and needed some background before I attend, this was really helpful of what I should expect before the meeting.
Thanks