So this weekend, I sat down knowing I needed to blog. It has been almost EIGHT weeks since I’ve written one, and that’s really too long.
I have a few draft blogs which are starting to take the form of a series that my friend MVP Darrell Webster helped name “How I stay Intune”, but the last few months have been very busy (Work, home life – I’m a 100% single parent) and burn out is becoming a very real reality for me right now.
So after seeing that Microsoft had released a new version of Quick Assist, and reading that it is available via the Microsoft Store, I started thinking if I could use Intune to remove this new version of the App from Intune managed Windows devices.
Over the years, there has been thoughts around how to manage the Quick Assist app in an enterprise environment. From using AppLocker to block the app, along with ensuring the basics such as restricted Local Admin, good threat detection and hardening Windows endpoints (just being a few off the top of my head) is configured.
So this weekend, I set to work in my Intune lab to see if this theory was something that could be a possibility.
Deploying the new Microsoft Store version of Quick Assist was simple (ok, I did this bit several weeks ago)…
Logging on to Microsoft Store for Business, I searched for the new Quick Assist app and added it.
The next time my Intune Microsoft Store for Business connector synced with the store, the new Quick Assist app would be available in Intune as an app to deploy.
I proceeded to deploy the app to my Windows Endpoints successfully.
Fast forward to this weekend and I finally dedicated some time to start testing my theory.
In my lab, I have four test Windows devices. Windows 10 (21H2), Windows 11 (21H2), Windows 11 Insider Beta Channel and Windows 11 Dev Channel. Because of the weekly nature of updates to my Dev channel device, I have excluded it from this bit of work.
For the three other devices, I confirmed that the new app had been deployed to the devices. The version was 188.8.131.52 (This is important for later)
My next step was to change the deployment assignment on the app from Required to Uninstall.
As expected, at the next Intune sync, the store version of Quick Assist was removed. This however is where I ran into some inconsistent results.
On the Windows 10 (21H2) and Windows 11 (21H2) devices, the original Quick Assist was still present, while the Windows 11 Beta Channel device showed no Quick Assist (the result I was after). After a bit of reading, the Office Insider Blog looked like it had some answers.
Now the blog only talks about shortcuts, and I wasn’t 100% sure that the presence of the original Quick Assist app is related, but I’m also not dismissing it either.
Noting that I had an older version of Quick Assist, I wondered if this was the reason, so I switched the assignments on the app back to Required to see if the 184.108.40.206 version would be deployed to these devices, and I could test the theory that the 220.127.116.11 version is required for the original Quick Assist version to be properly removed.
So after several syncs and noting the Install Pending status in Intune, there was no new Quick Assist app… Weird…
I noticed that the app had failed to install on the following Account Settings page
I recalled the following note in the Office Insider blog, and while all devices do use Edge, and two of the three are Windows 11, I decided to deploy WebView2 to the devices just in case that may have been causing an issue.
A few syncs later, and still no change.
The next step was to wipe some of the devices and start from scratch (with both WebView2 and Quick Assist set to deploy)
The devices onboarded as normal, well, right up to the tail end of the Account Setup stage where a UAC prompt appeared. This is not something that would normally happen.
On one device, I clicked No and ended up at the desktop, while on the other one, I authenticated with an Admin account.
On the one I click No, there was still no Quick Assist, and the same error in the Account Settings page. On the one I did authenticate with, Quick Assist had successfully installed.
I recalled a note about UAC in the Office Insider blog.
So there appears to be some more work for Quick Assist needed.
Finally, I removed Quick Assist (and WebView2) app deployments, and Intune wiped the devices. They onboarded without any issues (and no UAC prompts)
For those who are using Quick Assist in an enterprise environment along with Windows Autopilot – be aware that you may have UAC issues with new onboarding devices until Microsoft are able to resolve this. I know Remote Help is on the expensive side of things, but recommended over Quick Assist, as Quick Assist is not a secure tool and if accessible, anyone could potentially be socially engineered into granting access to an undesirable person.
All in all, Quick Assist isn’t quite ready for Prime Time.
Oh, and that theory of this new version of Quick Assist removing the original version of Quick Assist… well, it’s still kind of there, so existing methods to block it should also remain.