Windows 10: Scheduled tasks with workstation lock/unlock not being triggered



I'm running Windows 10, and trying to get a pair of scheduled tasks working. These tasks are set to run on workstation lock and workstation unlock, and execute a script that remotely locks or unlocks an adjacent arch-linux workstation. This is accomplished via the WinSCP command-line interface,, and its built-in scripting ability. These scrips are working just fine - I can invoke them manually to the desired effect. I can even right-click the tasks I've set up and click 'run', and observe the desired effect. The problem is that the workstation-lock and workstation-unlock events don't appear to ever be triggered, when actually locking and unlocking the workstation. This same set of scheduled tasks worked as expected under Windows 7.

Lock/Unlock tasks overview

Task Scheduler window

Based on answers so far, I can get the tasks to run as expected if I check the "Run only when user is logged on" box, but this has the undesired side effect of causing a visible command window to appear when the tasks are triggered.

OS is Windows 10 Enterprise LTSB 2016 (x64). Any insight or ideas would be appreciated.

Things I have already tried:

  • Using GPO to enable auditing of workstation lock/unlock events - no effect. (lock/unlock events appear in the event viewer as expected)

  • Creating an alternate windows user and setting the task to run as that principal.

  • Wrapping the call to in a batch script.

  • Modifying local GPO to ensure that logon-as-batch is enabled.

Other relevant information: Other scheduled tasks (e.g. those running at a set time or interval) are working fine. Only these two tasks are failing to trigger.

Edit: Per Twisty's comment, I turned on task history, and got an actual error message: Task scheduler error message

So it appears the task is indeed triggered, but fails to launch. Interestingly, this does not update the "Last Run Time" property for the task.

Some cursory googling indicates that this error may be related to logon/password information. I've verified that the stored password is correct, but the same issue persists. Here is a screenshot of the 'General' tab as requested.General Tab

Here is the WINSCP script being executed (key censored):

# Connect
open sftp://charles@ -hostkey="ssh-rsa 2048 
call cinnamon-screensaver-command -d

I've just tried wrapping this in a very simple batch file:


SET prgwinscp="C:\Program Files (x86)\WinSCP\"
%prgwinscp% /script=lock-arch.winscp

I can execute this by hand, and as a scheduled task it works when I check "Run only when user is logged on". Unfortunately, as before, once I set the task to "Run whether user is logged on or not", I get the usual failure.

As requested, here is a screenshot of the actions tab:actions pane

The obscured text is as follows:

Add Arguments (Optional):    /script=unlock-arch.winscp
Start in (Optional):    C:\Program Files (x86)\WinSCP


Posted 2017-05-31T17:12:31.300

Reputation: 1 723

Try turning off "Game mode" through the Settings app...? – Kinnectus – 2017-05-31T17:20:53.310

"Game mode" is not present in this version of Windows 10. – Fopedush – 2017-05-31T17:31:57.700

Damnit lol. I wonder if when you luck your machine the tasks are being postponed for some other reason – Kinnectus – 2017-05-31T17:33:16.557

Do "scheduled" (at set time) tasks trigger when your machine is locked? – Kinnectus – 2017-05-31T17:34:17.630

Looks like it - I made a new scheduled task to run calc.exe one minute from the current time, locked my computer and waited. When I unlocked, calc was running. – Fopedush – 2017-05-31T17:37:47.663

Is it a laptop you're using? Is it plugged in to an AC outlet? – Kinnectus – 2017-05-31T17:43:56.950

Yes and yes. (here's another yes to reach the character minimum) – Fopedush – 2017-05-31T17:51:45.987

What happens if you untick the AC option in your Scheduled Task "conditions" tab for your condition? – Kinnectus – 2017-05-31T17:53:49.653

Already unticked - I've tried it both ways. No difference. – Fopedush – 2017-05-31T17:56:13.293


  • Enable task history (right-click Task Scheduler Library in left pane> Enable History) and see what's logged on workstation lock. 2) Please post a screen shot of the General tab, or tell us how the security options for the task are configured
  • < – I say Reinstate Monica – 2017-06-07T14:40:59.887

    @Twisty Updated question with additional information per your comments. – Fopedush – 2017-06-07T18:19:10.703

    @Twisty it appears that switching to "run only when user is logged on" alleviates the issue, but has the unfortunate side effect of causing a cmd window to appear on my desktop (see I'd much rather be able to keep the window hidden, if possible.

    – Fopedush – 2017-06-07T18:23:45.703

    Is Charles the currently logged on user, or no? – I say Reinstate Monica – 2017-06-07T18:59:53.230

    yes - Charles is indeed currently logged in. – Fopedush – 2017-06-07T19:04:57.797


  • To prevent this command window from appearing, create another user account with the necessary permissions to successfully run the task, then configure the task to use that user's credentials. 2) The error code you're getting suggests either the password for the account is wrong, or that you need to enable the option "if task is already running, stop existing instance" on the Settings tab.
  • < – I say Reinstate Monica – 2017-06-08T00:19:45.313

    @Fopedush I'm having the exact same issue with a .bat script. Timed tasks run fine, but lock/unlock triggers always fail. I've tried all the suggestions in the answer to no avail. Did you ever get this resolved? – Waxen – 2017-09-06T19:01:31.420



    Follow the below steps to troubleshoot and resolve your problem

    Task Scheduler Properties. . .

    From Windows Task Scheduler on the job properties (see bottom most screen shots) in the. . .

    • 1. General tab, ensure that the below options are select/checked or unchecked just as shown in Print Screen A

      • Uncheck Run only when user is logged on
      • Check Run whether user is logged on or not
      • Check Run with the highest privileges
    • 2. Conditions tab, ensure that the below options are select, checked, or unchecked just as shown in Print Screen B

      • Check Wake the computer to run this task
    • 3. Actions tab, click Edit, and enure that the Start in (optional) is set just as shown in the below example (DO NOT put double quote marks around it) for the full path pointing where the batch script is located WITHOUT a final backslash "\" Print Screen C


    • Once you press OK (2. above) it should prompt you for the credential to run this as, and that credential is what will need access to EXECUTE the batch file where it exist, and it will also need access to do whatever the batch file is running that you scripted out.

    • It may be best to setup a static service/proxy user account for this process and then use its credentials to run the process. You'd need to ensure its password is strong and it set to never expire—and it needs access to EXECUTE the batch and run whatever the batch scripted process is running and any commands and resources, ect. it utilizes as well.

    • It seems the option Run whether user is logged on or not you MUST check the option Run with highest privileges for it to actually run as expected from the Task Scheduler.

    Error Checking

    • If there is an issue with the actual batch script but the Windows Task Scheduler actually does execute it to run it but the batch script logic errors out, etc. for whatever reason, the Task Scheduler may not see this failure at this level. From its perspective (by default most of the time), it’s executing the batch file so as long as it can execute it and has access to do so, its job is done successfully.

    • Add error checking or logging to the batch script logic to catch (or troubleshoot) issues at this level including ensuring that the security context which the batch scheduler executes it as has appropriate access to commands, resources, etc. which the batch script runs as.

    Group Policy Considerations


    Answer: On Windows, this privilege is granted through the Local or Domain Security Policy. To do this using the Local Security Policy, follow these steps.

    1. In the Control Panel, open Administrative Tools, then Local Security Policy.
    2. Beneath Security Settings, open Local Policies and highlight User Rights Assignment.
    3. Locate Log on as a batch job. Open the properties and add any users that need this right.
    4. When finished, save your changes and close the Local Security Settings window.

    Your changes should take effect immediately. To make changes to the Domain Security Policy, on a domain controller, use the Domain Security Policy utility in the Control Panel

    Batch Script Logic with Mapped Drives or Full UNC Path, and issues. . .

    If your script is referencing a mapped network drive but you want it to Run whether the user is logged on or not, then under this context, the drive mapping may not actually be there for the batch process to do what’s expected.

    If possible, use UNC paths in your batch script logic rather than a mapped drive letter to avoid issues. Otherwise, you may need to use PUSHD \\ServerName\ShareName at the beginning of the batch process and then use POPD at the end of the batch process. You could map the drive with NET USE X: \\ServerName\ShareName at the beginning of the batch process and then disconnect the drive with NET USE X: /DELETE at the end of the batch process.

    Print Screens

    Print Screen A

    enter image description here

    Print Screen B

    enter image description here

    Print Screen C

    enter image description here

    WinSCP Batch Script Examples

    Below are two very basic and dumbed-down examples of an FTP script to upload to and an FTP script to download from an FTP server using Be sure the SET winscplogin= variable is set to the name of the FTP connection you have defined from within the WinSCP GUI.

    This way builds the script dynamically and you build the FTP commands from within the batch script but you can also just simply point it to a static WinSCP script with the FTP commands in them otherwise too which is easy to setup.

    Upload to an FTP Server

    @ECHO ON
    SET logfile=C:\folder\path\log.log
    ::SET WinSCP variables, etc.
    SET prgwinscp="C:\Program Files\WinSCP3\"
    SET winscplogin="ABC Company"
    SET winscpfile=C:\folder\path\ABCompany_FTP_OUT_WinSCP.txt
    IF EXIST "%winscpfile%" DEL /Q /F "%winscpfile%"
    ECHO.                                              >> "%logfile%"
    ECHO *******************FTP OUT******************* >> "%logfile%"
    ECHO Delivering file(s) to ABC Company FTP server  >> "%logfile%"
    SET ftpdir="ToABC"
    ECHO option batch on           >> %winscpfile%
    ECHO option confirm off        >> %winscpfile%
    ECHO option transfer binary    >> %winscpfile%
    ECHO open %winscplogin%        >> %winscpfile%
    ECHO cd %ftpdir%               >> %winscpfile%
    ECHO put "C:\Folder\Path\*.*"  >> %winscpfile%
    ECHO dir                       >> %winscpfile%
    ECHO close                     >> %winscpfile%
    ECHO exit                      >> %winscpfile%
    ECHO %winscpfile%                                >> "%logfile%"
    TYPE %winscpfile%                                >> "%logfile%"
    ECHO - - - - - - - - - - - - - - - - - - - - - - >> "%logfile%"
    %prgwinscp% /script=%winscpfile%                 >> "%logfile%"
    ECHO - - - - - - - - - - - - - - - - - - - - - - >> "%logfile%"
    IF EXIST "%winscpfile%" DEL /Q /F "%winscpfile%"
    ECHO Transmission complete                       >> "%logfile%"

    Download from an FTP Server

    @ECHO ON
    SET logfile=C:\folder\path\log.log
    ::SET WinSCP variables, etc.
    SET prgwinscp="C:\Program Files\WinSCP3\"
    SET winscplogin="ABC Company"
    SET winscpfile=C:\folder\path\ABCompany_FTP_IN_WinSCP.txt
    IF EXIST "%winscpfile%" DEL /Q /F "%winscpfile%"
    ECHO.                                             >> %logfile%
    ECHO *******************FTP IN******************* >> %logfile%
    ECHO Retrieving files from ABC Company server     >> %logfile%
    SET ftpdir="FromABC"
    ECHO option batch on          >> %winscpfile%
    ECHO option confirm off       >> %winscpfile%
    ECHO option transfer binary   >> %winscpfile%
    ECHO open %winscplogin%       >> %winscpfile%
    ECHO cd %ftpdir%              >> %winscpfile%
    ECHO ls                       >> %winscpfile%
    ECHO get "*.*" "C:\Folder\path\"  >> %winscpfile%
    ECHO close                    >> %winscpfile%
    ECHO exit                     >> %winscpfile%
    ECHO %winscpfile%                                >> %logfile%
    TYPE %winscpfile%                                >> %logfile%
    ECHO ------------------------------------------- >> %logfile%
    %prgwinscp% /script=%winscpfile%                 >> %logfile%
    ECHO ------------------------------------------- >> %logfile%
    IF EXIST "%winscpfile%" DEL /Q /F "%winscpfile%"
    ECHO FTP Downloading Complete                    >> %logfile%
    ECHO Transmission complete                       >> %logfile%

    Custom Example Scripts

    Be sure to use both the options of Run whether user is logged on or not and Run with the highest privileges when you schedule the batch script. Once you apply these changes you will need to put in credentials to run the task as explicitly. Be sure to use an account that has execute access to the C:\Program Files (x86)\WinSCP\ file and that also meets the other general prerequisites as listed above.

    If you still have issues and want to confirm it's not OS security related, create a new local account on the machine and give it a strong password, set it to never expire, and to have the run as batch permissions. You can also make it a local admin and test just to be thorough to see if giving the account local admin access on the machine makes any difference.

    This would mean you have two files: a batch script and a WinSCP. The batch script will pass the WinSCP script to and you can just execute it to run the process. Be sure this script works as the same user while logged on by simply executing it to test and then test with that same account while logged onto the machine session with the Run only when user is logged on option to confirm it works from Task Scheduler as well before you set it to run whether logged on or not, etc.

    The Task Scheduler Actions tab will only use the Program/Script: field with all other fields left blank but the Program/Script: field will have a value of C:\folder\path\yourbatchscript.cmd.

    Batch Script

    @ECHO ON
    SET prgwinscp="C:\Program Files (x86)\WinSCP\"
    %prgwinscp% /script=lock-arch.winscp

    WinSCP Script

    open sftp://charles@ -hostkey="ssh-rsa 2048 
    call cinnamon-screensaver-command -d

    Pimp Juice IT

    Posted 2017-05-31T17:12:31.300

    Reputation: 29 425

    Hi McDonalds, thanks for your detailed response. Unfortunately the problem remains unresolved. I've followed your instructions to the letter - though most of these settings needed no change. The only real change was the addition of the local group policy allowing logon as batch job - though this had no effect. Your response has made me realize that the process type may be relevant, however - this executable is neither .exe nor .bat, it is a .com file. Specifically, distributed with the standard WinSCP Installer. – Fopedush – 2017-06-08T22:10:57.357

    Some cursory googling is leading me to believe that special handling of COM files is a likely culprit for this strange behavior - but I'm still searching for a solution. A bat/exe wrapper might work, or perhaps I need to just find an alternative to winscp. In the mean time perhaps someone else with Windows 10 x64 can attempt to trigger this COM file via scheduled task and see if the same issues occur? – Fopedush – 2017-06-08T22:26:03.520

    Documentation for is here: . I've tried changing my command to "winscp.exe /console", to no effect. The .NET api is promising, but obviously will take a little more time.

    – Fopedush – 2017-06-08T22:38:23.920

    @McDonalds - I'm actually using WinSCP to establish an SSH connection to a remote host and execute commands on that host. The script is very simple - I'll put it in the original question. – Fopedush – 2017-06-09T17:09:48.120

    @McDonalds I've also added a screenshot of the actions tab, as requested. – Fopedush – 2017-06-09T17:22:54.473

    @Fopedush I just wanted to say thanks for allowing me to help you get this resolved!! – Pimp Juice IT – 2017-06-15T00:13:27.977

    I had to give you an upvote just for all the work it took to make this answer. – Omegacron – 2018-04-20T21:37:23.210

    @Omegacron I appreciate that you can appreciate a well worked answer. I can appreciate a good SharePoint admin. Now that's something that's been a while for me. I worked SP hard on the older version that used the STSADMIN tool or whatever it was called. I had it down packed, saved folder of everything you'll ever need scripts and all... I was even working some magic on the SQL DB part of it too... LOL.... I like scripting and writing logic and automating processes. I'll keep up the good work and you do the same Omegacron!! – Pimp Juice IT – 2018-04-20T22:22:29.387

    As an aside, in your batch files, consider the form >>%winscpfile% ECHO something instead of ECHO something >> %winscpfile%. I can see that you like to logically align your code with whitespace but, in batch, that whitespace will end up in your generated script. I'm sure WinSCP handles whitespace well, but I've seen/written many of these types of scripts and had them fall over because of unexpected whitespace in the generated script (passwords in ftp.exe -s scripts are a classic!) – jimbobmcgee – 2019-06-05T19:51:12.380

    @jimbobmcgee That's a good point for consideration indeed. Sounds like "another" good answer for a question I asked a long time ago here: so consider that consideration from me as well. In this instance from my experience with WinSCP in particular, you are correct that it does handle the white space very well (at least the newer versions I've used). I have been hit by that before though with the white space and ftp with the -s switch, etc. so I know exactly what you are talking about so thank you...

    – Pimp Juice IT – 2019-06-05T21:34:37.023


    The Win10 task scheduler has a lot of bugs -- especially in the GUI. See:

    You might have some luck re-compiling the interface:

    mofcomp c:\Windows\System32\wbem\SchedProv.mof

    You may also want to create the task via COM interface in PowerShell. I prefer using a string variable containing the XML definition. You can export the XML of the GUI-created task and clean it up/correct it. Then:

    $TaskService = new-object -ComObject('Schedule.Service')
    $Task = $TaskService.NewTask($null)
    $task.XmlText = $XMLstring
    $null = $Global:TaskFolder.RegisterTaskDefinition('Lock Arch Workstation', $Task, 6, $null, $null, 3)

    Good luck!


    Posted 2017-05-31T17:12:31.300

    Reputation: 157

    Interesting, I didn't know about this. I'll give it a shot when I've got some time. – Fopedush – 2018-01-26T22:19:46.757


    I solved this by bypassing the "On Workstation Lock/Unlock" trigger types, and setting triggers to look at the windows event log directly.

    It's not ideal, but should be sustainable. Definitely still curious about why the triggers provided by Task Scheduler aren't working though.

    Configure Lock/Unlock Events

    By default, the lock/unlock events are not audited to the event log, you will need to enable logging of these events. You can do so from the group policy editor:

    run -> gpedit.msc

    and configuring the following category:

    Computer Configuration ->
    Windows Settings ->
    Security Settings ->
    Advanced Audit Policy Configuration ->
    System Audit Policies - Local Group Policy Object ->
    Logon/Logoff ->
    Audit Other Login/Logoff Events

    (In the Explain tab it says "... allows you to audit ... Locking and unlocking a workstation".)


    Create Triggers

    From there, you can set up triggers to the 4800 (lock) and 4801 (unlock) events like so:

    Trigger configuration


    Posted 2017-05-31T17:12:31.300

    Reputation: 139

    1Thank you - this is the first place I've seen simple, concise instructions on how to enable logging of workstation locking – Omegacron – 2018-04-20T21:38:21.877