Recently this subject has come up again, so thought I would create a post.
By default Windows comes with Quick assist, an RDP based service with is encapsulated in HTTPS, it allows users to both offer and request assistance between two Windows machines (remote control). You can read more here:
https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
How to disable/remove
Clearly you could do this a load of ways with EDR, Firewalls (Host or Perimeter) with App Allow/Block listing etc. I’m going to show removal via PowerShell:
To remove the feature:
Remove-WindowsCapability -Online -Name “http://App.Support.QuickAssist~~~~0.0.1.0“
the domain to block is:
remoteassistance.support.services.microsoft.com
You can see the URL here:
https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
How to re-install
You can re-install this by running the following:
Add-WindowsCapability -Online -Name “App.Support.QuickAssist~~~~0.0.1.0”
Summary
This feature is really useful but it can also be abused by threat actors. So it’s good to understand the risk position and then you can make a choice to leverage or remove this feature.