Trying to create a GPO to Lock all workstations at a specific time

Question

I have been unsuccessful getting a GPO to work at the client level. Created a GPO on the Windows 2019 Server which is a DC. Updated the GPO to push it out to all clients but I cannot get it to work. I have created a Scheduled Task to lock all workstations at a specific time of day. I have also tried to create the task on the client PC's individually. The Task will work fine if I run it from a command line but not as a Scheduled Task. I have selected Run with the highest privileges, Run whether or not user is logged on, tried it with the individual PC's user credentials and my own which is Domain Admin. No luck. Research I have done does suggest there may be a problem with this Task in Windows 11 clients. Can anyone offer assistance? Thank you in advance.

Answer 1

What you’re running into is most likely a session context issue rather than a GPO issue. The scheduled task, requires an interactive user session. It will work when run manually in a logged-on session, but it will silently fail if the scheduled task runs in a non-interactive context (such as Session 0).

If the scheduled task is configured with:

• “Run whether user is logged on or not”

Running as SYSTEM

Or without an interactive token

then LockWorkStation will not execute properly on Windows 10/11.

For this scenario, the task should be configured as:

Run only when user is logged on

Run in the user’s security context (not SYSTEM)

Do not use “Run whether user is logged on or not”

If deploying via GPO, consider creating the scheduled task under:

User Configuration → Preferences → Control Panel Settings → Scheduled Tasks

so that it runs in the user session rather than the machine context.

This is a common issue related to session isolation.