π ~1 min read
Table of contents
Symptom & Impact
Unattended scripts and scheduled tasks fail because User Account Control prompts for elevation interactively, breaking automation jobs that previously ran silently on Windows Server 2016.
Environment & Reproduction
Seen on member servers and standalone hosts after security baselines or GPO drift toggles UAC behavior. Reproduce by running an elevated batch job from a non-interactive session.
Get-ItemProperty 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem' | Select EnableLUA,ConsentPromptBehaviorAdmin,FilterAdministratorToken
Get-ScheduledTask | Where-Object {$_.State -eq 'Ready'} | Select TaskName,PrincipalRoot Cause Analysis
Baselines tightened ConsentPromptBehaviorAdmin or enabled Admin Approval Mode for the built-in Administrator, causing token filtering during non-interactive runs.
Quick Triage
Inspect current UAC registry values and recent policy applications.
secedit /export /cfg C:Tempuac.cfg /areas SECURITYPOLICY
Get-WinEvent -LogName 'Microsoft-Windows-GroupPolicy/Operational' -MaxEvents 20Step-by-Step Diagnosis
Check the policy origin, task principal, and whether the task is set to run with highest privileges or as SYSTEM.
gpresult /h C:Tempgp.html /f
Get-ScheduledTask -TaskName 'NightlyJob' | Select -ExpandProperty Principal
schtasks /query /tn 'NightlyJob' /v /fo LIST
Solution – Primary Fix
Configure tasks to run as SYSTEM or a service account with highest privileges, and align UAC policy with admin automation needs.
Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.
schtasks /change /tn 'NightlyJob' /ru 'NT AUTHORITYSYSTEM' /rl HIGHEST
Set-ItemProperty 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem' -Name ConsentPromptBehaviorAdmin -Value 0
gpupdate /force
Solution – Alternative Approaches
Use a managed service account or gMSA so credentials and elevation are handled outside UAC consent paths.
New-ADServiceAccount -Name svc-jobs -DNSHostName svc-jobs.corp.local -PrincipalsAllowedToRetrieveManagedPassword 'CORPAppServers'
Install-ADServiceAccount -Identity svc-jobs
schtasks /change /tn 'NightlyJob' /ru 'CORPsvc-jobs$'Verification & Acceptance Criteria
Scheduled job runs unattended and writes expected output without consent dialogs.
Get-ScheduledTaskInfo -TaskName 'NightlyJob' | Select LastRunTime,LastTaskResult
Get-WinEvent -LogName 'Microsoft-Windows-TaskScheduler/Operational' -MaxEvents 10Rollback Plan
Revert UAC registry tweaks to defaults if elevation policy must remain strict.
Set-ItemProperty 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem' -Name ConsentPromptBehaviorAdmin -Value 5
gpupdate /forcePrevention & Hardening
Standardise automation on gMSAs, document UAC baselines, and review scheduled tasks for principal/elevation alignment quarterly.
Get-ADServiceAccount -Filter * | Select Name,Enabled
Get-ScheduledTask | Export-Clixml C:Temptasks-baseline.xmlRelated Errors & Cross-Refs
Often related to Smart Screen, AppLocker rule blocks, and Credential Guard interaction with legacy automation tooling.
Related tutorial: View the step-by-step tutorial for Windows Server 2016.
View all Windows Server 2016 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Microsoft Learn: User Account Control settings, Task Scheduler security, and gMSA deployment guidance.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
