Why can a Domain Admin run a powershell cmd locally, but connecting over WinRM with the same account, command returns an UnauthorizedAccessException?

The Windows Update API is special. It specifically checks for and disallows remote access by checking if your token is marked as remote. I don't know why it was written this way.

I ended up creating a scheduled task and invoking the windows update API inside that - quite a nuisance.