Why is "logon type 5" used (logon as a service) when a scheduled task runs as gMSA?

Pauly, Christian 6 Reputation points
2023-10-19T13:10:20.17+00:00

All documentation I could find so far referred to the account right "Logon as a batch job" as a requirement to start a scheduled task "whether a user is logged on or not". But this does not seem to be true for gMSA.

Whenever I configure a scheduled tasks to run "whether user is logged on or not" and define a gMSA via Powershell (- LogonType Password) it produces a LogonType 5 - "Logon as a service".

The same scheduled tasks configured to run in the context of a domain user produces LogonType 4 - "Logon as a batch job".

What I failed to learn after a lot of research is the reason why. Is somebody able to point me in the right direction so that I understand where the difference is between running a scheduled task as gMSA or domain user (with creds stored in Credential Guard)?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,287 questions
0 comments No comments
{count} vote