We can bring up a slave and connect successfully:

Apr 17, 2018 11:55:18 PM null }}{{FINER: Node windows-server-2012 (i-09233a1df87ee74c0)(i-09233a1df87ee74c0) is ready windows-server-2012 (i-09233a1df87ee74c0) booted at 1523569187000 Connecting to ip-172-16-2-40.ec2.internal(172.16.2.40) with WinRM as Administrator Connected with WinRM. Creating tmp directory if it does not exist slave.jar sent remotely. Bootstrapping it <===[JENKINS REMOTING CAPACITY]===>Remoting version: 3.17 This is a Windows agent Agent successfully connected and online

But there is a difference between running commands from the RDP desktop as Administrator, and from the slave connected via JNLP (which also seems to be Administrator, according to the output of `whoami`).

Running commands from RDP:

C:\Windows\system32>whoami
win-4iqcddh05vj\administrator

C:\Windows\system32>psexec
web.sandbox.MUNGED.com iisreset /restart
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
iisreset exited on web.sandbox.MUNGED.com with error code 0.

However, running the following code from the same server, via JNLP / Pipeline, results in a `handle is invalid` error:

environment {
  SERVER = 'web.sandbox.MUNGED.com'
}
steps {
  bat "whoami"
  bat "psexec \\\\${SERVER} iisreset /restart"
}

Results in:

00:19:24 [control-pipeline] Running batch script
{{00:19:28 }}
00:19:28 c:\jenkins\workspace\control-pipeline>whoami
00:19:28 win-4iqcddh05vj\administrator
[Pipeline] bat
00:19:34 [control-pipeline] Running batch script
{{00:19:38 }}
{{00:19:38 c:\jenkins\workspace\control-pipeline>psexec
web.sandbox.MUNGED.com iisreset /restart }}
{{00:19:38 }}
00:19:38 PsExec v2.2 - Execute processes remotely
00:19:38 Copyright (C) 2001-2016 Mark Russinovich
00:19:38 Sysinternals - www.sysinternals.com
{{00:19:38 }}
00:19:38 The handle is invalid.
00:19:38 Connecting to web.sandbox.MUNGED.com...
Couldn't access web.sandbox.MUNGED.com:
00:19:40 Connecting to web.sandbox.MUNGED.com...

We also see different behaviour between the two when running Powershell steps, but I left those out of here due to the convoluted nature of Powershell configuration. I'm sure it's the same root cause. Please let me know what extra information I can provide to help debug this. I set to Major as I don't see a workaround.

Edit: I finally found a difference (note the arrow).

RDP:

C:\Windows\system32>query session
{{ SESSIONNAME USERNAME ID STATE TYPE DEVICE}}
{{ services 0 Disc}}
{{ console 1 Conn}}
>rdp-tcp#12 Administrator 2 Active
{{ rdp-tcp 65536 Listen}}

And Jenkins JNLP:

{{18:18:16 c:\jenkins\workspace\control-pipeline>query session }}
{{18:18:16 SESSIONNAME USERNAME ID STATE TYPE DEVICE }}
{{18:18:16 >services 0 Disc }}
{{18:18:16 console 1 Conn }}
{{18:18:16 rdp-tcp#12 Administrator 2 Active }}
18:18:16 rdp-tcp 65536 Listen