Remove Quick Assist (and other built-in apps) across your enterprise automatically using PowerShell and Microsoft Intune

by
post views: 2,527

Introduction

Disclaimer! Following introduction has been written using Copilot, because time is of the essence and AI is or will be an inevitable thing – also in regard to writing blogs. The script and the rest of the post is written by me. 🙂

In the ever-evolving landscape of cybersecurity, staying one step ahead is crucial. Today, we delve into a PowerShell script designed to enhance your system’s security by removing the Quick Assist app from Windows 11.

As highlighted in this Microsoft Security Blog, threat actors have been misusing Quick Assist in social engineering attacks leading to ransomware. Quick Assist, a built-in remote control app in Windows 11, has been exploited by cybercriminals, notably the financially motivated group Storm-1811, known for deploying Black Basta ransomware.

To counter this threat, our featured PowerShell script, removes the Quick Assist app from your system. This script is a proactive measure to mitigate the risk of such attacks, especially for environments where Quick Assist is not in use.

In the following sections, we’ll walk you through the script and its usage with Microsoft Intune. Let’s get started!

PowerShell

The script is located here on my GitHub repository: Proactive-Remediations/Detect-Remediate-Windows-11-Built-In-Apps.ps1 at main · imabdk/Proactive-Remediations (github.com)

  • NOTE: The synopsis of the script is written by GitHub Copilot. I left it as is, without changing anything. 🙂

The script accepts 2 parameters: -runDetection and -runRemediation.

-runDetection

This portion of the script is detecting whether any of the defined built-in apps (appxpackages), including Quick Assist are installed. If any of the apps are installed,  the script will exit with exit code 1, instructing Microsoft Intune to kick off the remediation script.

-runRemediation

This portion of the script will remove the apps defined in the $appxPackageList array.

  • Edit the $appxPackageList array to suit your needs. I have included the Quick Assist app as well as the consumer-oriented Teams app.

Detect-Remediate-Windows-11-Built-In-Apps.ps1

In headlines, the script does following:

  • Detects if any of any defined built-in apps are currently installed
    • If any found and -runRemediation is set to $true the apps are unistalled
  • Exit script gracefully to signal either success or failure to Intune

Microsoft Intune

Put the script to use with Microsoft Intune and the Remediation feature. The script comes a standalone script, but running this with Microsoft Intune and Remediation, requires 2 scripts.

The first script where -runDetection is set to $true and -runRemediation is to $false. The second script where both are set to $true.

Device status

The script will output various status messages to Intune. This is useful when setting this up initially or troubleshooting.

The scripts are also logging their actions into C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\HealthScripts.log

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.