Retire v1 per-pctype enforcers; GE-Enforce is the sole dispatcher

Stage 2a (GE-Enforce.ps1, landed 2026-04-22) is now the only ongoing-update
enforcer. The legacy per-pctype tasks (Machine-Enforce, Common-Enforce,
CMM-Enforce, Keyence-Enforce, Acrobat-Enforce) were kept as transition
belt-and-suspenders; with retrofitted PCs handled, the v1 path is dead and
gets removed entirely.

Deleted (13 files):
  Standard/{Machine-Enforce,Register-MachineEnforce}.ps1
  Standard/machineapps-manifest.template.json
  common/{Common-Enforce,Acrobat-Enforce,Register-CommonEnforce,Register-AcrobatEnforce}.ps1
  common/common-apps-manifest.template.json
  CMM/CMM-Enforce.ps1
  Keyence/Keyence-Enforce.ps1
  {CMM,Keyence,Standard}/lib/Install-FromManifest.ps1 (orphan dups of common/lib)

Trimmed:
  Run-ShopfloorSetup.ps1: dropped the legacy register-* invocations (Common,
    Machine) and the transition-period comment. Sole enforcer registration
    is now Register-GEEnforce.
  09-Setup-Keyence.ps1: keeps imaging-time install (step 1); removes the
    enforcer staging (step 2) and scheduled-task registration (step 3).
    Library lookup repointed to common/lib/Install-FromManifest.ps1.
  09-Setup-CMM.ps1: same treatment - keeps .NET 3.5 enable, install,
    PC-DMIS ACL grants, and bootstrap cleanup. Library repointed to common/lib.
  cmm-manifest.json + keyence-manifest.json: _comment fields updated to
    reflect imaging-time-only role (ongoing enforcement now goes through
    the v2 share manifests via GE-Enforce).

Verified clean: no orphan references to *-Enforce.ps1 / Register-*Enforce.ps1
/ machineapps-manifest / common-apps-manifest in any code path that runs.
A few historical mentions remain in unmodified header comments (GE-Enforce.ps1,
Deploy-GEEnforce.ps1, Monitor-IntuneProgress.ps1) describing what the new
dispatcher replaced; left as historical context.

Run-ShopfloorSetup.ps1 also picks up an unrelated 1-line hunk adding
SetShopfloorAutoLogon.bat to the desktop-copy list (already in the working
tree from a prior session). The file itself is not yet tracked; the
desktop-copy step is Test-Path-guarded so this is harmless until the
.bat is committed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1

@@ -3,19 +3,20 @@
 # At imaging time the tsgwp00525 SFLD share is NOT yet reachable - Azure DSC
 # has not provisioned the share credentials that early. So we install from a
 # WinPE-staged local copy at C:\CMM-Install (put there by startnet.cmd when
-# the tech picks pc-type=CMM), then register a logon-triggered scheduled
-# task that runs CMM-Enforce.ps1 for ongoing updates from the share.
+# the tech picks pc-type=CMM). Ongoing enforcement is handled by GE-Enforce
+# (registered separately in Run-ShopfloorSetup.ps1) reading cmm/manifest.json
+# from the tsgwp00525 share.
 #
 # Sequence:
 #   1. Enable .NET Framework 3.5 (PC-DMIS 2016 prereq on Win10/11 where 3.5
 #      is an off-by-default optional feature).
 #   2. Run Install-FromManifest against C:\CMM-Install\cmm-manifest.json.
-#   3. Stage Install-FromManifest.ps1 + CMM-Enforce.ps1 + the manifest to
-#      C:\Program Files\GE\CMM so the scheduled task has them after imaging.
-#   4. Register a SYSTEM scheduled task "GE CMM Enforce" that runs
-#      CMM-Enforce.ps1 on any user logon.
-#   5. Delete C:\CMM-Install to reclaim the ~2 GB of bootstrap installers.
-#      The share-side enforcer takes over from here.
+#   2.5. Grant BUILTIN\Users Modify on PC-DMIS install dirs (Hexagon-documented
+#        approach for non-admin runtime).
+#   3. Delete C:\CMM-Install to reclaim the ~2 GB of bootstrap installers.
+#
+# Library lookup: the imaging-time install uses the common Install-FromManifest
+# library at ..\common\lib\Install-FromManifest.ps1 (relative to $PSScriptRoot).
 #
 # Log: C:\Logs\CMM\09-Setup-CMM.log (stdout from this script) plus the
 # install-time log at C:\Logs\CMM\install.log written by Install-FromManifest.
@@ -24,13 +25,7 @@ $ErrorActionPreference = 'Continue'
 
 $stagingRoot    = 'C:\CMM-Install'
 $stagingMani    = Join-Path $stagingRoot 'cmm-manifest.json'
-$libSource      = Join-Path $PSScriptRoot 'lib\Install-FromManifest.ps1'
-$enforceSource  = Join-Path $PSScriptRoot 'CMM-Enforce.ps1'
-
-$runtimeRoot    = 'C:\Program Files\GE\CMM'
-$runtimeLibDir  = Join-Path $runtimeRoot 'lib'
-$runtimeLib     = Join-Path $runtimeLibDir 'Install-FromManifest.ps1'
-$runtimeEnforce = Join-Path $runtimeRoot 'CMM-Enforce.ps1'
+$libSource      = Join-Path $PSScriptRoot '..\common\lib\Install-FromManifest.ps1'
 
 $logDir        = 'C:\Logs\CMM'
 $logFile       = Join-Path $logDir 'install.log'
@@ -163,65 +158,10 @@ foreach ($dir in $pcdmisDirs) {
 }
 
 # ============================================================================
-# Step 3: Stage runtime scripts to C:\Program Files\GE\CMM
+# Step 3: Clean up the bootstrap staging dir
 # ============================================================================
-# These files survive past the bootstrap cleanup so the logon-triggered
-# scheduled task can run them. The manifest is staged as well so the enforcer
-# has a fallback in case the share copy is unreachable on first logon.
-Write-CMMLog "Staging runtime scripts to $runtimeRoot"
-foreach ($dir in @($runtimeRoot, $runtimeLibDir)) {
-    if (-not (Test-Path $dir)) {
-        New-Item -Path $dir -ItemType Directory -Force | Out-Null
-    }
-}
-Copy-Item -Path $libSource     -Destination $runtimeLib     -Force
-Copy-Item -Path $enforceSource -Destination $runtimeEnforce -Force
-
-# ============================================================================
-# Step 4: Register "GE CMM Enforce" scheduled task (logon trigger, SYSTEM)
-# ============================================================================
-$taskName = 'GE CMM Enforce'
-
-# Drop any stale version first so re-imaging is idempotent.
-$existing = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
-if ($existing) {
-    Write-CMMLog "Removing existing scheduled task '$taskName'"
-    Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
-}
-
-Write-CMMLog "Registering scheduled task '$taskName' (logon trigger, SYSTEM)"
-try {
-    $action    = New-ScheduledTaskAction `
-        -Execute 'powershell.exe' `
-        -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$runtimeEnforce`""
-
-    $trigger   = New-ScheduledTaskTrigger -AtLogOn
-    $principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
-    $settings  = New-ScheduledTaskSettingsSet `
-        -AllowStartIfOnBatteries `
-        -DontStopIfGoingOnBatteries `
-        -StartWhenAvailable `
-        -ExecutionTimeLimit (New-TimeSpan -Hours 2) `
-        -MultipleInstances IgnoreNew
-
-    Register-ScheduledTask `
-        -TaskName $taskName `
-        -Action $action `
-        -Trigger $trigger `
-        -Principal $principal `
-        -Settings $settings `
-        -Description 'GE CMM: enforce Hexagon apps against tsgwp00525 SFLD share on user logon' | Out-Null
-
-    Write-CMMLog "Scheduled task registered"
-} catch {
-    Write-CMMLog "Failed to register scheduled task: $_" "ERROR"
-}
-
-# ============================================================================
-# Step 5: Clean up the bootstrap staging dir
-# ============================================================================
-# ~2 GB reclaimed. From here on, CMM-Enforce.ps1 runs against the tsgwp00525
-# share, which is the canonical source for ongoing updates.
+# ~2 GB reclaimed. From here on, GE-Enforce takes over from the tsgwp00525
+# share for ongoing updates.
 if (Test-Path $stagingRoot) {
     Write-CMMLog "Deleting bootstrap staging at $stagingRoot"
     try {