AD FS (3.0) for Windows Server 2012 R2 (WID) - Configuration fails with 'Cannot start service MSSQL$MICROSOFT##WID'

Issue

After successfully passing the pre-requisite check when running the AD FS configuration wizard, the installer fails during the Installation phase with the following error: 
Cannot start service MSSQL$MICROSOFT##WID on computer '.'.
**

**

** Note:** This only occurs if using Windows Internal Database backend for AD FS

Event log errors

AD FS Installations using Windows Internal Database Log Name: System​ Source: Service Control Manager Event ID: 7041   The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:  Logon failure: the user has not been granted the requested logon type at this computer.   Service: MSSQL$MICROSOFT##WID  Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID   This service account does not have the required user right "Log on as a service."   User Action   Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.   If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

Cause

Choosing "install to Windows Internal Database" during the AD FS configuration wizard installs the Windows Internal Database feature.   A service account called NT Service\MSSQL$MICROSOFT##WID.  The error during AD FS configuration is caused by the WID service not starting due to a logon failure.  

Resolution

Add log on as a service permission to **NT SERVICE\ALL SERVICES.  **This should be done with group policy. See this thread on our forums for more detail.