Retire v1 per-pctype enforcers; GE-Enforce is the sole dispatcher

Stage 2a (GE-Enforce.ps1, landed 2026-04-22) is now the only ongoing-update
enforcer. The legacy per-pctype tasks (Machine-Enforce, Common-Enforce,
CMM-Enforce, Keyence-Enforce, Acrobat-Enforce) were kept as transition
belt-and-suspenders; with retrofitted PCs handled, the v1 path is dead and
gets removed entirely.

Deleted (13 files):
  Standard/{Machine-Enforce,Register-MachineEnforce}.ps1
  Standard/machineapps-manifest.template.json
  common/{Common-Enforce,Acrobat-Enforce,Register-CommonEnforce,Register-AcrobatEnforce}.ps1
  common/common-apps-manifest.template.json
  CMM/CMM-Enforce.ps1
  Keyence/Keyence-Enforce.ps1
  {CMM,Keyence,Standard}/lib/Install-FromManifest.ps1 (orphan dups of common/lib)

Trimmed:
  Run-ShopfloorSetup.ps1: dropped the legacy register-* invocations (Common,
    Machine) and the transition-period comment. Sole enforcer registration
    is now Register-GEEnforce.
  09-Setup-Keyence.ps1: keeps imaging-time install (step 1); removes the
    enforcer staging (step 2) and scheduled-task registration (step 3).
    Library lookup repointed to common/lib/Install-FromManifest.ps1.
  09-Setup-CMM.ps1: same treatment - keeps .NET 3.5 enable, install,
    PC-DMIS ACL grants, and bootstrap cleanup. Library repointed to common/lib.
  cmm-manifest.json + keyence-manifest.json: _comment fields updated to
    reflect imaging-time-only role (ongoing enforcement now goes through
    the v2 share manifests via GE-Enforce).

Verified clean: no orphan references to *-Enforce.ps1 / Register-*Enforce.ps1
/ machineapps-manifest / common-apps-manifest in any code path that runs.
A few historical mentions remain in unmodified header comments (GE-Enforce.ps1,
Deploy-GEEnforce.ps1, Monitor-IntuneProgress.ps1) describing what the new
dispatcher replaced; left as historical context.

Run-ShopfloorSetup.ps1 also picks up an unrelated 1-line hunk adding
SetShopfloorAutoLogon.bat to the desktop-copy list (already in the working
tree from a prior session). The file itself is not yet tracked; the
desktop-copy step is Test-Path-guarded so this is harmless until the
.bat is committed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Run-ShopfloorSetup.ps1

@@ -165,7 +165,7 @@ foreach ($name in $runAfterTypeSpecific) {
 Write-Host "Shopfloor setup complete for $pcType."
 
 # --- Copy utility scripts to SupportUser desktop ---
-foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat', 'Force-Lockdown.bat')) {
+foreach ($tool in @('sync_intune.bat', 'Configure-PC.bat', 'Force-Lockdown.bat', 'SetShopfloorAutoLogon.bat')) {
     $src = Join-Path $setupDir "Shopfloor\$tool"
     if (Test-Path $src) {
         Copy-Item -Path $src -Destination "C:\Users\SupportUser\Desktop\$tool" -Force
@@ -288,14 +288,9 @@ Unregister-ScheduledTask -TaskName 'GE Re-enable Wired NICs' -Confirm:$false -Er
 $commonSetupDir = Join-Path $PSScriptRoot 'common'
 
 # --- Register the unified GE-Enforce scheduled task ---
-# Replaces the per-type legacy enforcers (CMM-Enforce, Keyence-Enforce,
-# Machine-Enforce, Common-Enforce, Acrobat-Enforce). Register-GEEnforce.ps1
-# unregisters any of those legacy tasks before creating the new one, so
-# running this after the legacy Register-* invocations below is harmless
-# and race-free. Once a future repo cleanup retires the legacy Register-*
-# scripts entirely, those invocations below can be removed. Until then we
-# accept a brief moment of duplicate registration that Register-GEEnforce
-# itself resolves.
+# Single dispatcher for all PC-type ongoing-update enforcement. Reads
+# per-pctype manifest.json from the tsgwp00525 share and processes
+# common + per-type + per-type-subtype manifests in order.
 $registerGE = Join-Path $commonSetupDir 'Register-GEEnforce.ps1'
 if (Test-Path -LiteralPath $registerGE) {
     Write-Host ""
@@ -316,17 +311,7 @@ if (Test-Path -LiteralPath $registerGE) {
         Write-Warning "GE-Enforce registration failed: $_"
     }
 } else {
-    Write-Host "Register-GEEnforce.ps1 not found - skipping (legacy per-type enforcers remain active)"
-}
-
-# Legacy Common enforcer: kept for the transition period; GE-Enforce
-# unregisters the task it creates. Remove this block when the legacy
-# Common-Enforce.ps1 is retired from the repo.
-$registerCommon = Join-Path $commonSetupDir 'Register-CommonEnforce.ps1'
-if (Test-Path -LiteralPath $registerCommon) {
-    Write-Host ""
-    Write-Host "=== (legacy) Registering Common Apps enforcer - will be superseded by GE-Enforce ==="
-    try { & $registerCommon } catch { Write-Warning "Common enforce registration failed: $_" }
+    Write-Warning "Register-GEEnforce.ps1 not found - no ongoing enforcement will run on this PC"
 }
 
 # Map S: drive on user logon for every account in BUILTIN\Users. The
@@ -342,20 +327,6 @@ if (Test-Path -LiteralPath $registerMapShare) {
     Write-Host "Register-MapSfldShare.ps1 not found (optional) - skipping"
 }
 
-# Standard-Machine gets a machine-apps enforcer (UDC, eDNC, NTLARS) that
-# replaced the Intune DSC path (DSC has no sub-type awareness and was
-# pushing these to Timeclocks). Timeclocks skip this registration.
-if ($pcType -eq "Standard" -and $pcSubType -eq "Machine") {
-    $registerMachine = Join-Path $setupDir "Standard\Register-MachineEnforce.ps1"
-    if (Test-Path -LiteralPath $registerMachine) {
-        Write-Host ""
-        Write-Host "=== Registering Machine-apps enforcer ==="
-        try { & $registerMachine } catch { Write-Warning "Machine enforce registration failed: $_" }
-    } else {
-        Write-Host "Register-MachineEnforce.ps1 not found (optional) - skipping"
-    }
-}
-
 # --- Run enrollment (PPKG install) ---
 # Enrollment is the LAST thing we do. Install-ProvisioningPackage triggers
 # an immediate reboot -- everything after this call is unlikely to execute.