The service account for ARM is recommended to be Local / Domain Admin. This gives a lot of permissions to an account. One thing I like to do with privileged service accounts is to disable local logon and terminal logon. This provides a good control in case the password is learned by unauthorized users. Unfortunately, ARM will not work properly when interactive login is disabled. Allowing this feature would greatly help us secure our service accounts.
the GPO settings can be found at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment:
Deny log on locally
Deny log on through Terminal Services
Thanks,
Mike Streufert