Quick Assist was introduced in the 2016 Anniversary edition and is an upgrade to the Windows Remote Assistant utility that allows you to connect to another Windows 10 computer over the internet.
For remote support this is great, but it also enables the "Remote Tech Support" scam's without the need for the malicious party to trick or persuade the victim into downloading and installing a Remote Administration Tool or RAT.
The other problem with this is that it could be a way for attackers to get into corporate networks or pull the above scam on remote workers which could then be used to pivot into the company via a VPN.
Below is an example of the Quick Assist tool in action, as you can see it allows the attacker to click the UAC pop-up enabling admin rights.
Attacker: Work Group Computer Victim: Domain Joined Computer Both VMs are on different networks
From Wikipedia the below connections are required
whilst testing the below domains were connected to by both machines
api.support.microsoft.com assets.onestore.ms browser.pipe.aria.microsoft.com channelwebsdks.azureedge.net latest-swx.cdn.skype.com noammeetings.resources.lync.com rdprelaynortheuropeprod-1.support.services.microsoft.com relay.support.services.microsoft.com remoteassistance.support.services.microsoft.com skypeconfiga.support.services.microsoft.com webpoolbl20r04.infra.lync.com web.vortex.data.microsoft.com
The executable can be found at
Removing Quick Assist
Quick Assist can be removed via the
PS C:\Windows\system32> dism /online /Get-Capabilities | findstr /i "assist" Capability Identity : App.Support.QuickAssist~~~~0.0.1.0 PS C:\Windows\system32> dism /online /Remove-Capability /CapabilityName:App.Support.QuickAssist~~~~0.0.1.0 Deployment Image Servicing and Management tool Version: 10.0.19041.572 Image Version: 10.0.19041.572 [==========================100.0%==========================] The operation completed successfully.
Or using Powershell (reboot may be required)
Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0
The below Group Policy settings only affect Remote Assistance and not Quick Assist ....
From some Googling it still appears there is no way to control Quick Assist from GPO, but using GPO you could block it completely using Applocker, Windows Firewall to block the EXE or removing the EXE with a login script.
If a remote support solution is required then something like a LogMeIn, BeyoundTrust or Dameware should be used where you can restrict and log access. There should also be a policy in place and well-known procedure used to initiate connections, with users able to confirm it is their IT Team and not a malicious attacker trying to connect.