`Quick Assist` on Microsoft Store prompts for admin, even if running `winget` as admin

[o-l-a-v]

Brief description of your issue

Built in version of Quick Assists in Windows does not work anymore, one must switch over to the Microsoft Store version.

• https://techcommunity.microsoft.com/t5/office-insider/remote-assistance-with-quick-assist-is-changing/m-p/3297231
• https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5?hl=en-us&gl=US
• https://call4cloud.nl/2022/05/the-100-year-old-quick-assist-tool-who-climbed-out-the-window-and-disappeared/
• https://www.reddit.com/r/sysadmin/comments/uhj0n9/quick_assist_needs_an_update/

But the Microsoft Store version prompts for admin.

• So local users without local admin permissions can't install it.

But what's even better is that, even if trying to install it from CMD running as admin or SYSTEM, the install still prompts for admin permissions.

Steps to reproduce

Regular user with admin permissions - Prompts for admin.

winget install --id 9P7BP5VNWKX5 --silent --accept-package-agreements --accept-source-agreements --source msstore

SYSTEM. Prompts for admin, so it fails with exit code -1073741819 according to %errorlevel%.

pushd "%ProgramW6432%\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe" && winget install --id 9P7BP5VNWKX5 --silent --accept-package-agreements --accept-source-agreements --source msstore

Expected behavior

Running as admin should be inherited down to the installer as well.

Actual behavior

Prompts for admin, which makes it hard to automate the task of installing software like Quick Assist in this example.

Environment

Windows Package Manager v1.2.0
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.19044.1706

Logs: %TEMP%\WinGet

[JohnMcPMS]

This is an MSIX package in the Store, so you won't be able to install it as SYSTEM. We have had some discussions around implementing a machine scope install for MSIX packages in winget, though I doubt that will allow for installation of Store packages as SYSTEM.

As to the admin requirement, I believe it is coming from the combination of runFullTrust and uiAccess capabilities in the package. The Store installation APIs on Windows are apparently not taking the caller being admin as evidence of admin approval; I don't know if that is policy, technical limitation, or bug.

We would need to follow up with the owner of the API to determine if we could get the following changes:

1. If called as SYSTEM, stage the package without registering it
2. If called as admin user for packages requiring admin authorization, don't request again

I can't give any kind of timeframe on when (nor if) these changes would be in place.

[denelon]

The Quick Assist team shared a link to their F.A.Q.s

[TreeBranches]

I am curious how MS expects admins to reliably deploy software in production if constantly hit with freak limitations like this.

To add to this, when using WinGet to search for the Quick Assist app, there's very little information returned;

winget search 'quick assist'
Name         Id           Version Source
------------------------------------------
Quick Assist 9P7BP5VNWKX5 Unknown msstore

• Why is version unknown?
• Why is there no publisher?
• Why is there no url link?
• Purely through this result, how would I know this is MS Quick Assist and not some random piece of spyware filth?

I understand that some of this is down to the submitter of application to the store, but still, it's sad to see this happen internally at MS. winget could be great for us Admins, but it's just not quite there yet.

[denelon]

The Microsoft Store does not expose version information yet. The work is scheduled with future enhancements. The submission process to the Microsoft Store is very different than the Windows Package Manager Community Repository. Both sources have rigorous automated and manual verifications to avoid Potentially Unwanted Applications (PUA).

winget show "quick assist"
Found Quick Assist [9P7BP5VNWKX5]
Version: Unknown
Publisher: Microsoft Corp.
Description: Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. It can be used to remotely connect to a device and then view its display, make annotations, or take full control. In this way, you can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
License: ms-windows-store://pdp/?ProductId=9P7BP5VNWKX5
Privacy Url: https://go.microsoft.com/fwlink/?LinkId=521839
Agreements:
Category: Utilities & tools
Pricing: Free
Free Trial: No
Terms of Transaction: https://aka.ms/microsoft-store-terms-of-transaction
Seizure Warning: https://aka.ms/microsoft-store-seizure-warning
Store License Terms: https://aka.ms/microsoft-store-license

Installer:
  Type: msstore
  Store Product Id: 9P7BP5VNWKX5

[leocoolmitra]

same thing happens when we install quickassist appx using dism and provision it into the image. Admin users can open it instantaneously but when normal users click on it a percentage bar goes through and nothing happens you might try clicking on it 2 or 3 times then it finally opens up. we see a lot of errors in the event log getting access denied. This needs to be fixed by the application developer of quick assist i believe winget has nothing to do with it.There must be something declared in the manifest.xml which allows you run it in elevated mode.

[shannonfritz]

The store version of Quick Assist has several dependencies, most of which will be installed automatically if QA is installed using Winget, or by using the store (either manually or via Intune). However, the store modern-app requires the 'uiAccess' capability for remote screen sharing, which is a privileged access control that needs admin approval (I'm probably using the wrong terms to describe this). This requirement will pop a UAC prompt for non-admin users, who are then unable to register the app, and ultimately the installation fails. The workaround is to ensure you are installing the Offline license of Quick Assist so it can be installed in the Machine context instead of the User context, and that basically means some admin has to install the app for the non-admin users to use. The easiest way to do that (IMO) is with Intune from the Store, but ConfigMgr can install Store apps with the offline licenses too.

Additionally, the modern-app from the store now uses WebView2 which is essentially a web/ui library that is being used instead of the now-classic Internet Explorer engine (IE). WV2 is not guaranteed to be on Windows (particularly Win10), so sometimes WebView2 needs to be installed as well, and the Store/Winget does not do that. You can package and distribute WV2, or there's an 'evergreen installer' you could use via a script (like I did with Get-UpdatedWebView2.ps1), but there's actually a policy on Windows that will allow silent installation of WV2 if an app requires it. It's something that the Edge browser will do as part of its update engine, if configured to do so.

I wrote more details about all of this, and how to configure the install/update policies here https://mrshannon.wordpress.com/2022/06/06/get-updated-quick-assist-and-webview2-for-standard-users/

If you just want to use Winget to install QuickAssist, you could also take a look at the Invoke-QuickAssist script that I wrote. That script will install Winget, all the dependencies as well as install Quick Assist from the store and run it. The idea was to be able to run Quick Assist in the Windows OOBE for troubleshooting Autopilot deployments, but you could use it to all the prereq checking, downloading and installing the things and use in your Task Sequence, or whatever suite your situation. https://mrshannon.wordpress.com/2022/07/06/screen-share-from-oobe-with-quick-assist/

I hope that helps!

[TO360-IzzyDanza]

The store version of Quick Assist has several dependencies, most of which will be installed automatically if QA is installed using Winget, or by using the store (either manually or via Intune). However, the store modern-app requires the 'uiAccess' capability for remote screen sharing, which is a privileged access control that needs admin approval (I'm probably using the wrong terms to describe this). This requirement will pop a UAC prompt for non-admin users, who are then unable to register the app, and ultimately the installation fails. The workaround is to ensure you are installing the Offline license of Quick Assist so it can be installed in the Machine context instead of the User context, and that basically means some admin has to install the app for the non-admin users to use. The easiest way to do that (IMO) is with Intune from the Store, but ConfigMgr can install Store apps with the offline licenses too.

Additionally, the modern-app from the store now uses WebView2 which is essentially a web/ui library that is being used instead of the now-classic Internet Explorer engine (IE). WV2 is not guaranteed to be on Windows (particularly Win10), so sometimes WebView2 needs to be installed as well, and the Store/Winget does not do that. You can package and distribute WV2, or there's an 'evergreen installer' you could use via a script (like I did with Get-UpdatedWebView2.ps1), but there's actually a policy on Windows that will allow silent installation of WV2 if an app requires it. It's something that the Edge browser will do as part of its update engine, if configured to do so.

I wrote more details about all of this, and how to configure the install/update policies here https://mrshannon.wordpress.com/2022/06/06/get-updated-quick-assist-and-webview2-for-standard-users/

If you just want to use Winget to install QuickAssist, you could also take a look at the Invoke-QuickAssist script that I wrote. That script will install Winget, all the dependencies as well as install Quick Assist from the store and run it. The idea was to be able to run Quick Assist in the Windows OOBE for troubleshooting Autopilot deployments, but you could use it to all the prereq checking, downloading and installing the things and use in your Task Sequence, or whatever suite your situation. https://mrshannon.wordpress.com/2022/07/06/screen-share-from-oobe-with-quick-assist/

I hope that helps!

Hi shannonfritz

Your Invoke-QuickAssist script is great but doesn't seem to work when run as SYSTEM, which is common when leveraging RMM tools to run scripts. Is it possible to update it to work when run as SYSTEM?