Had to use the ever-useful process-monitor in order to find out what the issue was. In this case a registry entry at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost
Gave admins write access, and fixed!
P.S. And what was the super-important item that had to be written?
UPDATE: Discovered (Thanks to this post) that the issue was caused by the GPO I had created months ago as per the MS-specified confiker mitigation KB. (To be fair the article does warn about inability to install updates...but it was easy to miss.)