Invoke-Command as a "Protected User"

In my dev env I’m trying out protected users and their admin abilities.
I know that Protected Users put some restrictions on accounts ex. in terms of logon protocols, but I’m a bit confused with this behavior:

So if I Invoke-Command against “localhost” i get Access denied. If I do it against a remote system, I’m getting in. What is the technical reason for this to happen?

One reason might be Remoting not being enabled on your local system. It isn’t enabled on client operating systems by default.

We did some more testing with 2 computers:

PC1 is able to run “invoke-command PC2 {hostname}”, but not “invoke-command PC1 {hostname}”

PC2 is able to run “invoke-command PC1 {hostname}”, but not “invoke-command PC2 {hostname}”

Both machines are running PS with accounts that have local admin permissions on both systems.

However, when doing the same with an administrator that is NOT in the protected users group - both commands work.

So it seems there is something fishy going on here.

We have PS remoting enabled via GPO on all related endpoints and use it daily for mgmt.

UPDATE: It also work with the protected users when adding “-Credential” to the command.