After re-installing the RSAT package (thanks to the November Win10 update removing/ignoring my previous install), discovered that Server Manager wouldn't play nice: "WinRM Negotiate authentication error". Several forum searches pointed to various bits of Voodoo, but none of them worked. (Were some of them needed or contributed? Who knows...who needs change management on a home server, right? Riiiigggght.
Finally, found via this post, it's actually in the official documentation:
Set-Item wsman:\localhost\Client\TrustedHosts ServerHostname -Concatenate -Force
(Note this is with 2012R2, I haven't tried with 2016 yet, as the upgrade UI eventually displays a blank screen that is non-responsive.)