Is the VM facility only required for IDs that will actually perform signon? Do service machines (those that are XAUTOLOG'd and not signed on to directly) require this facility as well?
Per the doc, users that logon to a virtual machines are the ones that need the VM FACILITY:
If a user is not authorized, they will receive a FACILITY NOT AUTHORIZED message and get a security violation with a detailed reason code of 1C when running a TSSUTIL audit report.
XAUTOLOGed machines dont need the VM FACILITY.