Hi there,
Since you want certain users to be able to do it and the rest no, the easier way is to use the access protection in ENS.
I am using it like this:
Step1) Create a rule and include any file (*).
Step2) Add user name for exclusion later.
Step3) Create a subrule for the type "Processes"
Step4-1) Add as name or hash file for the Powershell engines (This is a subrule inside step3)
Step4-2) Add the data name which is .ps1 (This is a subrule inside step3)
Take look at the attached screen shots