Windows Quick Assist feature, a security issue.
Earlier this week Simon Woodburn our ICT Support Engineer, came across a Windows feature he was previously unaware of; Quick Assist, a Remote Access Tool (RAT) built into Windows 10 and active by default.
What is Quick Assist and why is it a potential security risk?
Quick Assist is a replacement for Remote Assistance released with the Windows 10 Anniversary Update. Based on the Remote Desktop Protocol, it allows for the remote viewing and control of another device over the network or (importantly) the internet.
Quick Assist is similar in its basic functionality to other RATs such as TeamViewer or Splashtop, with the main difference being that you didn’t choose to install it and like myself, probably didn’t even know it was there until now.
This is where the security implications of this RAT occurred to me, if you open your start menu and type Quick Assist, there it is, just sat there happily increasing your attack surface.
- Quick Assist doesn’t require administrative rights to run or connect in either direction
- Quick Assist communicates with a central Microsoft server on port 443, so it will not be blocked by default on most firewalls
- Quick Assist has no Group Policy settings associated with it, so can’t be centrally managed
- The only requirement for use is on the “assistance” givers side; they’ll need a Microsoft account such as an @outlook.com address (which is free and can be created in a matter of minutes)
I’m sure you’re just as concerned as I was about having this RAT sat on every Windows 10 devices in our tenancies, waiting to be exploited by some nefarious individual. I can easily imagine the scenario where a person with malicious intent can call a company posing as a Microsoft technician who has helpfully spotted that their device has a virus or some other important problem and can fix it there and then if the user could “just enter this six-digit code into Quick Assist”
How do you remove Quick Assist?
Luckily Quick Assist is easily removed with a few lines PowerShell that can be pushed to all managed Windows 10 devices in your tenancy via Intune or System Center Configuration Manager, detailed below:
$apps = Get-WindowsCapability -Online -Name “*QuickAssist*”
foreach($app in $apps)
Remove-WindowsCapability -Online -Name $app.Name
Remove Quick Assist from your personal devices.
And if you would like to remove it from your personal devices, it can be found in Settings > Apps > Optional Features
Written by Simon Woodburn, Curatrix ICT Support Engineer
Hard work and forward-thinking
Thanks to Simons knowledge and experience he has spotted a security issue, it goes to show how looking after your ICT infrastructure and security of your customer data is not straight forward and with the help of an IT management team, you are covered.
Well done Simon you did a great job!