Recently this subject has come up again, so thought I would create a post.

By default Windows comes with Quick assist, an RDP based service with is encapsulated in HTTPS, it allows users to both offer and request assistance between two Windows machines (remote control). You can read more here:

https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist

How to disable/remove

Clearly you could do this a load of ways with EDR, Firewalls (Host or Perimeter) with App Allow/Block listing etc. I’m going to show removal via PowerShell:

To remove the feature:

Remove-WindowsCapability -Online -Name “http://App.Support.QuickAssist~~~~0.0.1.0“

the domain to block is:

remoteassistance.support.services.microsoft.com

You can see the URL here:

https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist

How to re-install

You can re-install this by running the following:

Add-WindowsCapability -Online -Name “App.Support.QuickAssist~~~~0.0.1.0”

Summary

This feature is really useful but it can also be abused by threat actors. So it’s good to understand the risk position and then you can make a choice to leverage or remove this feature.