Call4Cloud | MMP-C | Autopilot | Device Preparation

The 100-Year-Old Quick Assist tool Who Climbed Out the Window and Disappeared

Patch My Pc | install & update thousands of apps

This week (16-05-2022 / 19-05-2022), was a week with many Autopilot issues. Some were caused by the broken latest Office 365 build, and some were caused by server-side issues, AKA Monday Morning updates at Microsoft. This blog isn’t about those issues! This blog will show you the 0x81036502 error and how the Quick Assist tool was to blame!

1. The 0x81036502 issue

Let’s start with the issue first! When you are going to enroll a nice shiny device after 16-05-2022 with Autopilot you could end up with some nice timeout issues. Luckily it doesn’t have something to do with the Office 365 Build being broken as I was showing you in this older blog

But this problem does give you the same Autopilot time-out error (0x81036502) as shown in the blog above!

autopilot showing the 0x81036502 error during the esp app installation

Before you will get that timeout error during the Autopilot device setup phase. While receiving this error you could also get a nice UAC Host Process for Windows service window prompting you to agree.

uac prompt asking if you want to allow this app to make changes to your device

That’s definitely a window I haven’t seen before… but why do we get that awe-full UAC prompt? That window does remind me somehow of the OOBE Create Elevated Object Server when using Autopilot with Windows version 1909

the user oobe create elevated object server asking to continue

But that’s not the cause this time. Let’s find out!

2. What could be causing this UAC Prompt?

Let’s jump to the answer immediately because I can tell you a long boring story or just how it is!

Windows admins frustrated by Quick Assist moving to Microsoft Store (bleepingcomputer.com)

If you have been following Microsoft their announcements, you could have noticed that Microsoft decided to ditch deprecating the existing Quick Assist tool

“The end of service is planned for 5/16, after which point the existing inbox app will no longer work” but luckily Microsoft decided to delay the change for a week 5/23

After the 23/05 , Microsoft delayed it for another week :).. 30/05

Guess what happens when you require this quick assist app to be installed during Autopilot? It will break!!!

Broke It GIFs | Tenor

Your Autopilot enrollment will just timeout and will show you that not-so-nice Host Process for Windows services window!

3. Why did MS create a newer version?

There are multiple reasons why Microsoft decided to create a new version. I will explain the most important ones

3.1 Skype for Business

The old Quick Assist version relied on the Skype for Business back-end infrastructure and I guess we all know what happened with that one

As shown above, the Skype for Business Online infrastructure will be decommissioned on or after June 30, 2022. The new Quick Assist App version will use the Azure Communications Services instead 

3.2 Internet Explorer 11

Like some other legacy apps, the original Quick Assist was also using the Internet Explorer libraries as its presentation layer. I guess we all know the fact that Internet Explorer 11 will no longer be supported starting June 15, 2022

The new version of the Quick Assist tool uses the WebView2 Runtime. The WebView2 runtime uses Edge as the rendering engine instead of Internet Explorer 11

3.3 Improving Security

Okay… Microsoft decided to break... change it. But why? Luckily there are some people you need to follow on Twitter to understand the “why“.

He is telling us it allows us to send security updates faster. Security is always important! Let me tell you why Microsoft wants to send out security updates faster for this wonderful Quick Assist tool.

This story below is about someone impersonating Microsoft Support with the use of uhhhh of course Quick Support!

Impersonating Microsoft Support using Quick Assist (krbtgt.pw)

With this Microsoft Store version, Microsoft could send out Updates faster! But that wasn’t enough because Microsoft also wanted to make it more difficult for end-users (without admin privileges) to call in IT support? If you ask your colleague (who is in need of some IT support) to download the Quick Assist app from the Microsoft Store you will end up with that same UAC prompt!

the microsoft quick assist tool also gving us the host process for windows services uac prompt during autopilot

But why does only this app ask for your admin credentials? Let me explain! When opening PowerShell you could enter this command to get some more details about the Application Manifest.

(get-appxpackage -name *quickassist* | get-appxpackagemanifest).package.capabilities

As shown above, it’s mentioning UIAccess. When UIAccess is configured in the Application manifest, you will be prompted with UAC.

Kapil Tundwa also explains why they made sure the Quick Assist tool will ask for admin credentials when you are trying to install it from the Microsoft Store.

I get it, I do… but when you are not using an additional RMM tool, I assume you will need something to help your end-users?  A possibility would be to switch to the new Remote Help Tool Microsoft introduced but that will definitely cost you! So what other options do we have to deliver remote support because we can’t let the user install the Quick Assist tool on their own when they have no admin privileges.

Please note: When looking at the updated Quick Assist FAQ, it’s also mentioning the UAC Prompt. Looking at it gives me a little bit of hope!

4. Deploying the Quick Assist App

I tried a lot :)… Let me explain them one by one.

4.1 Intune and the MSfB connection
4.2 Winget
4.3 Manually downloading the Appx bundle
4.4 Converting the APPX to a Win32 App
4.5 Results

4.1. Intune and the MSfB Connection

Adding the Offline Quick Assist Tool from the MS Store for Business (MSfB) to Intune sounded like a perfect idea. Of course, before you could add the Offline version of the Quick Assist App you need to make sure you have connected the Microsoft Store for business to your Intune Tenant.

After adding the Offline Quick assist app and syncing the MS Store to Intune, I assigned the Offline Quick Assist app to my devices. Of course, I made sure I changed the license to: “device” instead of user!

Please Note: When choosing the Offline version of the Quick Assist app, you don’t need to worry about it won’t update automatically! The Microsoft store will still keep it up to date!

After it was installed/pushed down to the device with Autopilot it was looking good at first but when first tried opening the first Quick Assist tool I noticed, it was telling me it was an older version that still needed to be updated...

Guess what happens when you want to update it? It will prompt you for the admin credentials but looking at the installation path it showed me it was indeed the old version.

I guess I must be blind because besides the old version I also got myself the new version Quick Assist app! OLD vs NEW 🙂

Please note: This issue will be fixed in a new version!

4.2 Winget

We all know by now the Microsoft store will be deprecated and Winget will be the way to go but while updating my blog about Winget I stumbled upon some authentication issues when deploying Store apps with Winget.

Even while manually (yes manually ….) accepting the agreements as shown below it did not work

It just gave me the error mentioning “No Applicable update found”

Luckily just at the same moment, I was writing this blog I noticed the MS Store authentication issue was fixed

After reading the issue was fixed I decided to install Winget to deploy the Quick Assist tool as shown in one of my older blogs

But as shown below that stupid idea also ended up with an error but this time another one…. 0x80070520

winget got us the 0x80070520 error during installing of quick assist

After spending another minute on google I ended up ditching this idea!

`Quick Assist` on Microsoft Store prompts for admin, even if running `winget` as admin · Issue #2163 · microsoft/winget-cli · GitHub

4.3. Manually downloading the Appx bundle

At that point it hit me. why not do the exact same thing as I did with the “real offline version” of the Company Portal as I was showing you in this blog below? I know Microsoft is telling us not to mix up all these kinds of installers… but who cares? this is my test tenant 🙂

https://call4cloud.nl/2021/11/sharpes-company-portal

To get started, I needed to get the proper APP Id, luckily in my first attempt I already had it: 9P7BP5VNWKX5

https://apps.microsoft.com/store/detail/quick-assist/9P7BP5VNWKX5

At first, it sounded like a perfect idea until I press the download button and ended up with a nice certificate warning when trying to open Privacyfout (microsoft.com). It didn’t give me an option to download the needed AppxBundle at that time!

Damn…That’s odd because if I remember it correctly, it should fetch that file from HTTP-based NOT from HTTPS?

UPDATE 21-05-2022: Seems to be working again… I guess the authentication issues from this week also messed up this connection!

When you run into the same issues as I did, you could still use Fiddler to find the actual working link. After configuring Fiddler I pressed the retry button in the Microsoft Store and watched Fiddler go. It showed me this link below… which was working at first

http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9afa5368-bc21-4669-8de3-6bee3e4c606c?P1=1652883577&P2=404&P3=2&P4=R93lU3RSWg9pBaqcetsrkmYuSYGkO86KFR2aa8apV%2fTfekQb67SQi7i7UUGELijQr3tEyu%2f2M1jFLOK1QrHIKQ%3d%3d

If you don’t want to use Fiddler to fetch that app yourself, let me save you the trouble. You could download it from the link below: https://call4cloud.nl/wp-content/uploads/2022/05/QuickAssist.zip

I opened the Intune Portal and I created a new Line-of-business app, and selected that APPXBundle file

4.4 Converting the APPX to a Win32 App

Another possibility would be to create a new Win32App based on a PowerShell script. Please make sure you remove that old QuickAssist tool first and install the new Quick Assist tool with the Add-AppxProvisionedPackage command

Remove-WindowsCapability -Online -Name 'App.Support.QuickAssist~~~~0.0.1.0' -ErrorAction 'SilentlyContinue'
Add-AppxProvisionedPackage -online -SkipLicense -PackagePath '.\MicrosoftCorporationII.QuickAssist.AppxBundle'

4.5 Results

After you have picked one of the working options to ensure the Quick Assist tool will be deployed to your devices, I also added it to the required apps list in the ESP and reinstalled my test device to let it reenroll with Autopilot. After logging in with my test user, I noticed the “Quick Assist” tool was recently added!

The icon looked like the latest version. To be sure I opened the tool… And yes no update prompts!!!

Even the Microsoft store is pretty fine with it, isn’t that great!

5. Using Quick Assist during Autopilot

As we all know by now, the old deprecated version will no longer work. It will prompt the user to download the new version from the MS Store. Guess what doesn’t work during Autopilot!

You will be prompted to select an app to open the ms-windows-store link...Luckily we could still press on “not yet” for now… (30/05)

EDIT: 01/06/2022 and…. the Not Yet is gone!

Deploying the new Quick Assist tool with Intune to your devices is great. With this wonderful tool, you can ensure that you can help those who need it AFTER the device is enrolled, but it still doesn’t give you the possibility to help users during the Autopilot enrollment itself!

Let me tell you why! The app itself is installed at some point during the Autopilot Enrollment. You can configure the required apps but you can’t control the sequence of those installations!

*Please note: You also can’t even configure the apps that don’t need to be installed during the ESP (or?)

When your Autopilot device hangs on the first app and times out (for example the Office 365 Apps)the Quick Assist App isn’t going to be installed! Without that app, how will you “assist” those people? If you are deploying Windows 11, I guess we are lucky because looking at that FAQ again, it will be fixed in the future

6. Windows 10 and the WebView2 Runtime

As I mentioned in part 3 of this blog, the new Quick Assist tool uses the WebView2 runtime. WebView2 is installed by default in Windows 11, but it’s not build-in in Windows 10

After you published Quick Assist to your Windows 10 devices, the first time opening it will prompt you with this message

As shown above, it tells you that the application is requiring WebView2 runtime to run. So it looks like it’s missing right? But when refreshing the “Uninstall or change a program” screen, you will notice that it gets installed even when it gives you an error!

If you close the existing Quick Assist tool and you open it once again, it will work! If you don’t want this to happen when a user opens it for the first time on a Windows 10 device you need to make sure you already have installed it before the user logs in!

When you want to deploy the WebView2 runtime you have multiple options at your disposal. You could simply download the Evergreen standalone installer and wrap it with the IntuneWinAppUtil.exe tool

Another possibility would be to use Winget to deploy it to your devices! To do so you need to create a new PowerShell script. In this PowerShell script, Winget will try to install the Microsoft.EdgeWebView2 Runtime

$ResolveWingetPath = Resolve-Path "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe"
    if ($ResolveWingetPath){
        #If multiple version, pick last one
        $WingetPath = $ResolveWingetPath[-1].Path
    }

cd $wingetpath
.\winget.exe install --exact --id Microsoft.EdgeWebView2Runtime --silent --accept-package-agreements --accept-source-agreements

Please Note: As mentioned in the Winget blog, It could take some time before the Winget.exe command is working on a newly deployed device.

Conclusion

There seems to be a new issue every day that could impact your Autopilot deployments. Luckily, there is a solution for each problem.

Many IT people rely on the built-in quick assist tool to help people who run into trouble during Autopilot, and because Microsoft is ditching the inbox app, you can’t help them anymore! That’s bad!!!! Luckily, Microsoft also told us that it will be included in a new Windows 11 build.

Hopefully, next week, we can all relax and enjoy our Autopilot enrollments!

Im Going To Relax Like No Ones Relaxed Before Im Going To Relax So Hard GIF  -

11 thoughts on “The 100-Year-Old Quick Assist tool Who Climbed Out the Window and Disappeared

  1. Hi,

    i used the quick assist appxbundle and pushed this out via Intune as per the instructions. This pushed out to the test device just fine – which is great.

    Do we know if the new Quick Assist will get automatic updates this way or will it be locked at version 2.0.6.0

    Has anyone had any updates pushed out since trying this?

    Thnaks

    S

    1. When looking at my microsoft company store blog… that one gets updated automatically… the offline and the online… I guess time will tell 🙂 But I am going to assume it will be updated

  2. When I manually add the APPX file using add-appxpackge or add-appxprovisionedpackage on a VDI, I get the following error when starting it: 0x80070426: the process for the package MicrosoftCorporationII.QuickAssist_2.0.6.0_x64__8wekyb3d8bbwe cant be created. Because there was an error during preparing activation. [LaunchProcess]

    I translated the error from my native language so maybe some words are not in order. Does anybody have an idea why this error is happening?

    1. Almost if a required service (maybe Microsoft Account Sign-in Assistant ) is disabled to add that package … or these 2
      Microsoft Passport (short name: NgcSvc)
      Microsoft Passport Container (short name: NgcCtnrSvc)

      1. The service voor de Microsoft Account Sign-In was disabled! When I turned it on, the app started working again. Thanks for the solution!

        Je bent de beste.

  3. Thanks for the write-up. Small sidestep, we have Windows 10 Enterprise, blocked store in Intune, so people won’t be able to download apps from the private store. Any experience if they’re able to install via winget? (admin / no admin)

    1. Hi… if I remember it reading correctly … you don’t need the Microsoft store to use winget to install store apps…

      1. Thanx, so a smart user is able to install any app that way from ‘the store’ (e.g. dropbox). Hmmm, gonna look into app whitelisting / blacklisting then

        1. 🙂 please note, that chrome and edge deprecated the whitelist/blacklist part
          https://call4cloud.nl/2021/10/what-if-chrome-policies-are-failing/

          1. Haha, no I mean AppLocker ;-). We already disallow installation of Apps (setup executables) for users, but with winget it seems they can freely install

  4. In Windows 10 220H2 and Windows 11 Quick Assist is again part of the OS so no need to install it as required app anymore.

    But I found your article because I was searching to get QuickAssist to work during Autopilot of Windows 11.
    In Win 10 we are able to use QuickAssist during OOBE – Autopilot to assist a remote customer. In W11 I’m not able to get it running. Quick assist can not be started. Any Ideas ?

Leave a Reply

Your email address will not be published. Required fields are marked *

6  +  1  =  

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.