This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 73%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I have an domain joined Windows 11 client where I am trying to create linux distro under WSL2.
While installing the distro, I encounter this error:
running wslexec: Logon failure: the user has not been granted the requested logon type at this computer.
What I have found out is this is happening when "NT VIRTUAL MACHINE\Virtual Machines" group is missing from "Log on as service" policy in User Rights Assignment.
As a workaround, restarting Hyper-V Host Compute Service is adding back "NT VIRTUAL MACHINE\Virtual Machines" group to "Log on as service" policy and I am able to create the linux distro.
What I would like to know is why/what is causing "NT VIRTUAL MACHINE\Virtual Machines" group getting removed ?
Hello. I think that the primary reason why it gets removed is due to a Group Policy Object (GPO) that overrides the local security policy settings on your Windows 11 client.
Check with an Active Directory administrator, as there’s a chance the conflicting GPO needs to be modified. The GPO managing “Log on as a service” should be updated to explicitly include the “NT VIRTUAL MACHINE\Virtual Machines” group.
Understood. Thank you. I tried to add that group in my Local Security Policy, I know Local policies will be overridden by GPO, but I wanted to check if it allows me to add it or not. But when I searched for a group starting with NT, it didn't find "NT VIRTUAL MACHINE\Virtual Machines”. So how can it be added (either to local machine or Domain server) to the Log on as service" policy ?
Which domain GPO is currently applying the “Log on as a service” policy on this machine?
In any case, in the GPO that actually controls “Log on as a service,” add the SID directly: S-1-5-83-0, Windows will resolve it as the Virtual Machines group when the policy applies, and this prevents it from being removed during the next refresh.
