UiPath (Studio/Robot) itself is able run on a Windows Server or Workstation (see Software Requirements) and for High-Density Robots it is even recommended.

But this appears to be in contradiction to the general goal of Robotic process automation (or RPA) which is to control user applications. Excerpt from WikiPedia about Robotic process automation:

RPA tools have strong technical similarities to graphical user
interface testing tools. These tools also automate interactions with
the GUI, and often do so by repeating a set of demonstration actions
performed by a user. RPA tools differ from such systems that allow
data to be handled in and between multiple applications, for instance,
receiving email containing an invoice, extracting the data, and then
typing that into a bookkeeping system.

_{Note that a (Core/Nano) Server doesn’t necessarily include a GUI at all}

See also: What’s the Difference Between Windows and Windows Server?, quote:

Windows 10 Is the Familiar Desktop Experience
While Windows 10 lacks server-specific features, it makes up for it in other areas…

I couldn’t find a explicit statement from Microsoft, but we are currently bouncing into practical situation which several of our customers that are receiving the following warning on the UiPath Outlook activity:

A program is trying to send an e-mail message on your behalf

Which is indirectly related to the fact Outlook is appearently not supposed be installed on a Windows Server where Windows Security Center (WSC) is Unavailable. This version of Windows does not support antivirus detection:

Cause Windows Security Center is not supported on server operating system versions. For this reason Outlook is unable to check antivirus
status when installed on a Windows Server.

More Information
Outlook depends upon the Windows Security Center (WSC) on the
operating system to detect the status of the antivirus
software on the machine. Since the antivirus status isn’t listed
within the WSC on Windows Server Operating Systems, it is unable to
obtain this information which results in the message we are seeing
within Outlook. You can confirm this if you log into the Windows
Server console. In the Action Center, you will not see any antivirus
information.

At other other hand, Microsoft does appears to support products as Office 365 on Windows Server 2019 or Windows Server 2016

Is there a clear statement whether a UiPath robot should run on a Server or Workstation (where it is required to control user/office applications)?

I think it really depends on what your needs and constraints are.

If you are using a single user per machine, or have applications that are not compatible with Windows Server then go with a workstation or VDI setup.

If you want/need less host machines and have compatible software, nothing wrong with Windows Server which you’d need to install RDS to have more than two concurrent connections.

We make use of both scenarios without issue including using Office 2016 Desktop applications. We do see the Outlook warning you mention due to our Server not having the same security software as our general desktops and a GPO in place to enforce the check. For now we automatic the allow of the interaction, but also working on building an server image with acceptable security software.

Another approach we take is not using Outlook at all As we do use Office 365 services, we either use Exchange Web Services or the MS Graph API.

We have not used a Windows Server host with Windows 10 experience, so I can’t speak to that aspect.

Thank you for your reply and sharing your experiences.

I do have although some difficulties with:

as I don’t like to ask the customers to blindly open this security feature, especially via a GPO on servers where a lot of administrators have access to. Microsoft doesn’t provide this default behavior for nothing. To my opinion, it is already very easy to spread malicious software via a (modified) xaml file.
Besides what if Microsoft decides to introduce a similar behavior on the rest of their Office products (Word, Excel, …)?

No It is not ideal but we are working within our current limitations and I see it as an acceptable risk given the other security pieces we have in place within our organization. There are going to be trust hosts that have sensitive keys as an example in place, where the owning group and administrators have access. Definitely minimize the security risk where possible.

There are similar protection with the security options in the other applications with macros etc., having the automated sequence click allow a couple times and waiting for the timer to pass is similar to letting a human click it. (We use unattended robots), within our organization we have a GPO configured to force the prompt if valid firewall/antivirus software is not installed.

If your concerned about xaml or Nuget packages that could be tampered with outside of any audit controls, I’d consider signing the packages and configuring UiPath to enforce this requirement.

Thanks again for the thoughts and suggestions.
Personally I was thinking of a kind of phishing mail with malicious low code workflow (xaml file) that might spread itself via outlook.