GPO: execute a PowerShell script at computer startup

I am trying to setup a GPO to deploy a PowerShell script which enabled WinRM with HTTPS on a self-signed SSL certificate.

I know that there are two ways to execute a PowerShell script at computer startup:

1. create an immediate task which starts a program with path: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe, arguments: -ExecutionPolicy Bypass -command "& \\unc\path\to\PowerShellScript.ps1", user account: DOMAIN\System, and run whether user is logged on or not, run with highest privileges and apply once and not reapply configs enabled
2. create a startup PowerShell script from \\unc\path\to\PowerShellScript.ps1 or \\my.domain.local\SysVol\my.domain.local\Policies\{policy}\Machine\Scripts\Startup\PowerShellScript.ps1

If I am not wrong, the second option needs the PowerShell execution policy to be configured as unrestricted but this is one thing I'd prefer to avoid.

So I tried the first option but unfortunately I'm receiving the following error when the test Windows 10 client tries to run the script:

Log Name:      Application
Source:        Group Policy Scheduled Tasks
Date:          12/26/2020 6:53:33 PM
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      testclient.my.domain.local
Description:
The computer 'Enable WinRM HTTPS Listener' preference item in the 'Abilita WinRM HTTPS {3EC930E8-0627-4018-BD81-175250762BEE}' Group Policy Object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.' This error was suppressed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Group Policy Scheduled Tasks" />
    <EventID Qualifiers="34305">4098</EventID>
    <Level>3</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2020-12-26T17:53:33.033401100Z" />
    <EventRecordID>13395</EventRecordID>
    <Channel>Application</Channel>
    <Computer>testclient.my.domain.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>computer</Data>
    <Data>Enable WinRM HTTPS Listener</Data>
    <Data>Abilita WinRM HTTPS {3EC930E8-0627-4018-BD81-175250762BEE}</Data>
    <Data>0x80070534 No mapping between account names and security IDs was done.</Data>
  </EventData>
</Event>

If I am not wrong, this error is really generic and I cannot understand what's going on. I am thinking that the computer local SYSTEM account could not access to \\unc\path\to\PowerShellScript.ps1, but I cannot understand how I can let it access to it as anonymous access to network paths is now not enabled on Windows 10 per default (and I prefer not to enable it).

So now I'm hanged and I am trying to find out how to proceed now:

• do you think the first option (the immediate task) is better than the second (the startup script)?
• do you know other way to do what I need?
• do you know what could causing me the 0x80070534 error?
• do you have any other ideas/advise?

Thank you!