in our environment all PowerShell must be signed, this is enforced via Carbon Black Protect.
When the content of a signed script is placed into the PowerShell step. the resulting user.ps1 has had the leading blank lines and any final line endings are removed.
The leading blank line is easy to fix in the original file that was signed. but deleting the final CRLF brakes the Authenticode signature.