Updated on the 29th of September 2022 due to changes in Quick Assist installation.
Like I mentioned in the blogpost about Remote Help, the build in Quick Assist tool in Windows 10 and Windows 11 is great for supporting friends and family. However, it’s not that great to support an organization since vital features are missing like handling UAC and logging. There is also a lot to wish for when it comes to how accounts are managed and the overall experience in a corporate setup using Quick Assist.
So, when we have deployed Remote Help to all our users, we want to remove Quick Assist to improve security (so unauthorized people cannot remotely connect) and to ease confusion about what remote support tool to use.
There are several ways of doing this, but I’m taking the approach that we don’t have a custom image since our devices has been enrolled through Windows Autopilot using vanilla images. So how can we remove the feature, and make sure that the end-user doesn’t get creative with enabling it again?
The answer to this is using proactive remediations.
What is proactive remediations?
Proactive remediations is a part of the Endpoint analytics section of Microsoft Endpoint Manager. You can find it by going to Reports > Endpoint Analytics > Proactive Remediations. By default you will have to script packages published by Microsoft.
Proactive Remediations is a script package where you can find and fix things on your clients, before this generates a ticket to your help desk.
However, since these are scripts running, you can do about anything to be honest. Each script package consists of a detection script and a remediation script. The scripts are then deployed to the devices through MEM and will report back. You can find reports on how many times a script has run, and how many times it has fixed an issue. Fixed and issue means that it has run the remediation script. You can read more about how they work and what you can do on e.g. Microsoft Docs.
One thing you could do is to detect if a Windows component is active, and if found active then disable it.
How do I remove new Quick Assist?
Due to an update, Quick Assist have now moved in to the Microsoft Store, meaning that we need a new way to remove the store app. Next chapter will cover the old application which was a Windows Capability.
There are several ways to remove pre-installed application from Windows, you could either get the application from the Business Store and assign it as “Uninstall” for all devices/users, or you could user PowerShell to remove applications.
For this, we will use Proactive Remediation to detect if the Quick Assist is installed, and if so we will remove it. This would remove the application even if the user installs it them self. There are other ways to do this as well, like only deploying the removal part and blocking the application with AppLocker.
I’ve put these scripts in my GitHub repository, for this part use the *_app files.
First we will do detection:
WinCap = Get-AppxPackage -name "MicrosoftCorporationII.QuickAssist" try { If ($WinCap.Name -like "*MicrosoftCorporationII.QuickAssist"){ Write-Warning "Quick Assist installed - running remediation script" Exit 1 } Else{ Write-Host "Quick Assist missing - exiting" Exit 0 } } catch { Write-Host "Quick Assist missing - exiting" Exit 0 }
If our detection script finds the application, we will run a remediation script to uninstall it, just two lines of simple PowerShell code (thanks @LasseiLarod for the contribution to this).
$WinCap = Get-AppxPackage -name "MicrosoftCorporationII.QuickAssist" Remove-AppxPackage -package $WinCap.PackageFullName
Now all that we need to do is to make sure that we run the script in User Context, since the application is installed in the user context.
How do I remove old Quick Assist?
One way to disable Quick Assist, even if the user enables it again, I have found is to use a proactive remediation which checks if Quick Assist is enabled on the device, and if it finds that it is Quick Assist is disabled.
Quick Assist isn’t an app installed from the store, it’s a Windows capability which means that we cannot uninstall the app.
To do this, we firstly need a script which will identify if Quick Assist is enabled. One way of setting that up is like this, a simple PowerShell script that my college helped me create (thank you Daniel).
I’ve put these scripts in my GitHub repository.
$WinCap = Get-WindowsCapability -online -name App.Support.QuickAssist* If ($WinCap.State -match "NotPresent"){ Write-Warning "Windows Capability - Quick Assist missing - exiting" Exit 0 } else { Write-Host "Windows Capability - Quick Assist installed, Running Remediation script" Exit 1 }
This simple script will check if the Windows capability is enabled, if enabled it will run the remediation script which disables Quick Assist. It’s a one-liner:
Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0
What could be good to keep in mind is that if the version of Quick Assist changes, this disable-part will stop working. I’ve’ tried using a more generic string, but I couldn’t get it to work. However, my PowerShell skills are quite limited.