- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
In short, on the machine that is to get remote help with Quick Assist, the user enters the six-digit code that the person offering remote control tells them over the phone, for instance. Then the remote-control session starts.
I recently presented on how to customize Windows 10 at events like the Midwest Management Summit (MMS) in Minneapolis, Techdays Sweden, and Techorama in Belgium. One thing that strikes me every time I explain how to block or remove Quick Assist in Windows 10 is that many people have never heard of Quick Assist. There also isn't much documentation available.
How to use Quick Assist
Launch Quick Assist on the machine you want to offer remote control from.
Starting Quick Assist
Select Give assistance and sign in using a Microsoft account.
Offer assistance
You will then get a code that is valid for 10 minutes. You can also send an email or copy the code to the clipboard.
Share security code
On the computer to remote control, we launch Quick Assist and then select Get assistance and enter the code generated above.
Enter security code
Then we need to agree to allow the person who created the code to remote control the machine.
Share your screen
After allowing remote control to take place, we can now remote control the machine.
Quick Assistance on the desktop
The person remote controlling the other machine has a nice little menu in the upper right corner with options like Fit Screen, Select Monitor, launch Task Manager, and more.
Quick Assist menu
It works well and smoothly. The person with the remote-controlled machine can pause the screen sharing, for instance, to enter a username or a password.
How Quick Assist communicates
All traffic is client-initiated, so it works great on networks using network address translation (NAT) and in Hyper-V virtual machines (VMs) using shared internet connections. Essentially, it never fails. When Quick Assist starts, it contacts the address remoteassistance.support.services.microsoft.com and then receives the host IP that services this session. The query from the client looks like this:
"Query Operation, QResult: NoError, Query ID: 0xD8DB, OpCode: NoError, Query Name: remoteassistance.support.services.microsoft.com, RR Type: A, RR Class: Internet, Answers: [52.178.208.253]"
Quick Assist uses port 443, so you needn't open any additional incoming ports.
How to remove or block Quick Assist
Should you block or remove Quick Assist? Every organization has to make this decision. For some, Quick Assist is a great feature to offer remote assistance to road warriors wherever they are. For others, Quick Assist poses a risk. Hackers could simply call users and tell them their computers have viruses and require remote cleaning.
We can block Quick Assist in many ways. However, there is no Group Policy for this purpose as there is for Remote Assistance. I also miss the ability to allow only specific accounts to offer remote control. It would also be great if Quick Assist created event log entries indicating a specific Microsoft account has remote controlled the machine.
To block Quick Assist, you can use Applocker, Windows Firewall, or simply remove it. Quick Assist is not a required Windows feature; it is an optional Windows feature also called Windows Capability. The Settings app lists it under Manage optional features:
Microsoft Quick Assist is an optional feature
If you want to remove Quick Assist, you cannot simply uninstall it using the Remove-Appxpackage PowerShell cmdlet as we do with built-in modern apps. Instead, you have to use Remove-WindowsCapability as shown below:
Subscribe to 4sysops newsletter!
Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0
Many think that Microsoft Quick Assist is a modern app, but it is actually an .exe file located at %windir%\system32\quickassist.exe. This means we can block it using Windows Firewall or Applocker. Removing it is the cleanest option, as it removes it from Search and the Start menu as well. If you just block Quick Assist, users can still start it and then contact support if the tool isn't working as expected.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
I am assuming these security enhancements to Quick assist have been put on a wish list for MS? I don’t understand why this would not have been thought of when things like security for RDP is put into place even having a policy to only allow certain users and even subnets to allow RDP. I know that the old remote assist was tied to RDP so there was some security, has anyone tested to see if perhaps those rules still apply? Or perhaps Quick assist is just an entirely different beast needing totally separate GPO rules?
What about TeamViewer? What are your thoughts?
Is there a way for the support person to elevate and provide credentials into the UAC prompt
I think that is possible but you would need to disable the switch to secure desktop for UAC in advance (via GPO or secpol.msc). Its the same as in Teams remote share I guess.
It's crazy that they would create this security hole without any security controls around it.
Remote Assistance works great as a remote desktop sharing for support purposes, and it already has controls in place in GPO for enabling/disabling it and the local group membership controlling who can use it.
If they needed this tool to get around a firewall problem, why didn't they build it to use the same controls as the existing msra solution?
Crazy.