Hyper-V VM Management Service Encountered a Logon Failure

I faced the following error when I tried to create my first Hyper-V VM on my new laptop.

I used the Resultant Set of Policy MMC and checked the User Rights Assignment configuration. I found that somebody has linked a Group Policy Object (GPO) to the domain container that assigns several domain user accounts the Logon as Service right. This is a very bad idea. You should not manually modify the Default Domain Policy or link a GPO with User Rights Assignments to the top hierarchy of the domain.

During the installation of Hyper-V the Local Group Policy Object (LGPO) was automatically modified, but the settings of the domain GPO is processed afterwards and overwrites the values of the LGPO. We used security filtering to block this domain GPO from my laptop. Afterwards the User Rights Assignments of the LGPO was active again. Now I can create VMs without any problems.

You can read additional information about the NT VIRTUAL MACHINE\Virtual Machines security group that was introduced with Hyper-V on Windows Server 2012 / Windows 8 in the blog article “Logon Failures Involving Virtual Machines in Windows Server 2012”. A similar problem is described in the Microsoft knowledge base article “Starting or Live Migrating Hyper-V virtual machines may fail with error 0x80070569 on Windows Server 2012-based computers”.