Unattended Windows deployment

I'm trying to create a certificate template from Powershell for an unattended deployment on an AWS Windows instance with Cloudformation.

The instructions are Section 3 from : https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap.html#setupca

I have some powershell that seems to do what I need. After some messing, I figured how to join the domain and that the only way for the powershell to switch from the local admin to the domain admin is with a :

$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "$DomainNetBIOSName\$Username", $Pass
start-job -Scriptblock $scriptblock -Credential $Credential

That works, I can set $scriptblock to {whoami} and see domain\admin but it needs to run :

Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 10 -Force

Which causes an error :

CCertSrvSetup::InitializeDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
+ CategoryInfo          : NotSpecified: (:) [Install-AdcsCertificationAuthority], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.CertificateServices.Deployment.Commands.CA.
InstallADCSCertificationAuthority
+ PSComputerName        : localhost

That needs "elevation" I assume??

So, back to the drawing board. There is a suggestion you can use -Authentication Credssp to achieve this.

However, that then complains that "CredSSP authentication is currently disabled in the client configuration". I am assuming I'd need an elevated session to enable it. It also starts talking about using gpedit to change some settings. None of which is really feasible from a script. eg:

PS> Invoke-Command -Authentication Credssp -Scriptblock $ScriptBlock -ComputerName $env:COMPUTERNAME -Credential $Credential
[EC2AMAZ-I1PNQVH] Connecting to remote server EC2AMAZ-I1PNQVH failed with the following error message : The WinRM
client cannot process the request. CredSSP authentication is currently disabled in the client configuration. Change
 the client configuration and try the request again. CredSSP authentication must also be enabled in the server
configuration. Also, Group Policy must be edited to allow credential delegation to the target computer. Use gpedit.msc
and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials
Delegation -> Allow Delegating Fresh Credentials. 

So, how do I make my Windows server run a sensible deployment script automatically without having to login and click "allow"??