- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
In short, on the machine that is to get remote help with Quick Assist, the user enters the six-digit code that the person offering remote control tells them over the phone, for instance. Then the remote-control session starts.
I recently presented on how to customize Windows 10 at events like the Midwest Management Summit (MMS) in Minneapolis, Techdays Sweden, and Techorama in Belgium. One thing that strikes me every time I explain how to block or remove Quick Assist in Windows 10 is that many people have never heard of Quick Assist. There also isn't much documentation available.
How to use Quick Assist
Launch Quick Assist on the machine you want to offer remote control from.
Select Give assistance and sign in using a Microsoft account.
You will then get a code that is valid for 10 minutes. You can also send an email or copy the code to the clipboard.
On the computer to remote control, we launch Quick Assist and then select Get assistance and enter the code generated above.
Then we need to agree to allow the person who created the code to remote control the machine.
After allowing remote control to take place, we can now remote control the machine.
The person remote controlling the other machine has a nice little menu in the upper right corner with options like Fit Screen, Select Monitor, launch Task Manager, and more.
It works well and smoothly. The person with the remote-controlled machine can pause the screen sharing, for instance, to enter a username or a password.
How Quick Assist communicates
All traffic is client-initiated, so it works great on networks using network address translation (NAT) and in Hyper-V virtual machines (VMs) using shared internet connections. Essentially, it never fails. When Quick Assist starts, it contacts the address remoteassistance.support.services.microsoft.com and then receives the host IP that services this session. The query from the client looks like this:
"Query Operation, QResult: NoError, Query ID: 0xD8DB, OpCode: NoError, Query Name: remoteassistance.support.services.microsoft.com, RR Type: A, RR Class: Internet, Answers: [184.108.40.206]"
Quick Assist uses port 443, so you needn't open any additional incoming ports.
How to remove or block Quick Assist
Should you block or remove Quick Assist? Every organization has to make this decision. For some, Quick Assist is a great feature to offer remote assistance to road warriors wherever they are. For others, Quick Assist poses a risk. Hackers could simply call users and tell them their computers have viruses and require remote cleaning.
We can block Quick Assist in many ways. However, there is no Group Policy for this purpose as there is for Remote Assistance. I also miss the ability to allow only specific accounts to offer remote control. It would also be great if Quick Assist created event log entries indicating a specific Microsoft account has remote controlled the machine.
To block Quick Assist, you can use Applocker, Windows Firewall, or simply remove it. Quick Assist is not a required Windows feature; it is an optional Windows feature also called Windows Capability. The Settings app lists it under Manage optional features:
If you want to remove Quick Assist, you cannot simply uninstall it using the Remove-Appxpackage PowerShell cmdlet as we do with built-in modern apps. Instead, you have to use Remove-WindowsCapability as shown below:
Subscribe to 4sysops newsletter!
Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0
Many think that Microsoft Quick Assist is a modern app, but it is actually an .exe file located at %windir%\system32\quickassist.exe. This means we can block it using Windows Firewall or Applocker. Removing it is the cleanest option, as it removes it from Search and the Start menu as well. If you just block Quick Assist, users can still start it and then contact support if the tool isn't working as expected.