Back
Featured image of post Block the Quick Assist Binary

Block the Quick Assist Binary

Create a standalone policy that only blocks Quick Assist Binary

Violet Hansen (@HotCakeX) created the WDACConfig (Windows Defender Application Control) Module as part of the awesome Harden Windows Security repository.

And part of the WDACConfig Module is the New-DenyWDACConfig command. Here is a great way to block the Quick Assist Binary.

First you need to install the WDACConfig Module:

# Install the required module
Install-Module -Name WDACConfig

Now create the policy with New-DenyWDACConfig:

# Create the blocking policy
New-DenyWDACConfig -InstalledAppXPackages -PackageName 'MicrosoftCorporationII.QuickAssist' -PolicyName 'Quick Assist Block'

This Rule Quick Assist Block blocks the MicrosoftCorporationII.QuickAssist and Quick Assist will no longer work.

I think this is a very smart way, to prevent the usage of Quick Assist, if you don’t need it, or want to prevent the abuse of it.

If you have blocked the Get-DnsClientNrptRule as mentioned in my previous post, you can then remove the rule:

(Get-DnsClientNrptRule -ErrorAction SilentlyContinue | Where-Object -FilterScript {
         ($_.Namespace -eq 'remoteassistance.support.services.microsoft.com')
}) | Remove-DnsClientNrptRule -Force -Confirm:$false

But you can keep it, if you like!

Prepare for the following change

Microsoft change the endpoint from remoteassistance.support.services.microsoft.com to remotehelp.microsoft.com! Therefore you should create another rule anyway!

Updated Rule:

# Break the domain name
if (!(Get-DnsClientNrptRule -ErrorAction SilentlyContinue | Where-Object -FilterScript {
         ($_.Namespace -eq 'remotehelp.microsoft.com')
}))
{
   Add-DnsClientNrptRule -Namespace 'remotehelp.microsoft.com' -NameServers '0.0.0.0' -Verbose -ErrorAction Continue -Confirm:$false
}

And if you like to have this as an updated Intune remediation:

# Intune Detection
if (!(Get-DnsClientNrptRule -ErrorAction SilentlyContinue | Where-Object -FilterScript {
         ($_.Namespace -eq 'remotehelp.microsoft.com')
}))
{
   Write-Host -Object 'Namespace entry was not found'
   exit 1
}
else
{
   Write-Host -Object 'Namespace entry was found'
   exit 0
}

# Intune Remediation
if (!(Get-DnsClientNrptRule -ErrorAction SilentlyContinue | Where-Object -FilterScript {
         ($_.Namespace -eq 'remotehelp.microsoft.com')
}))
{
   Add-DnsClientNrptRule -Namespace 'remotehelp.microsoft.com' -NameServers '0.0.0.0' -Verbose -ErrorAction Stop -Confirm:$false
}

I also created a GitHub Gist for better Source Code and copy & paste handling for you: