Keyence VR-3000 G2: imaging-time FIPS opt-out for .exe.configs

Under Intune-enforced LSA FIPS policy, Profilometer / VRAnalyzer /
VRInspection apps crash at device init when MD5CryptoServiceProvider's
ctor is called to verify the probe EEPROM calibration (see keyence3000.txt
+ .png in pxe-images for the dialog + stack).

Patch each .exe.config under C:\Program Files\KEYENCE\<model>\ with
<runtime><enforceFIPSPolicy enabled="false"/></runtime>. Scope is app-CLR
only; OS-wide Lsa FIPS policy stays enforced. CMMC posture: scoped
exception, non-CUI integrity hash, documented in SSP. Each affected bay's
hostname must be on InfoSec's FIPS-exception list before imaging.

09-Setup-Keyence.ps1 gates the patch behind model=vr3000 only. vr5000 /
vr6000 bays do not auto-apply. Verified on win11 VM via qga: 29 configs
across vr5000+vr6000 layouts (vr3000 install was incomplete on VM),
patched + idempotent on re-run, existing <runtime> children preserved.
Also verified on a real PC: 27 patched + 2 skipped (Keyence pre-shipped
the element in two configs), 0 errors.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/gea-shopfloor-keyence/09-Setup-Keyence.ps1

@@ -184,6 +184,41 @@ if ($dxPath) {
     Write-KeyenceLog "DXSETUP.exe not found under either Program Files - DirectX install skipped" 'WARN'
 }
 
+# ============================================================================
+# Step 1.6: FIPS opt-out for Keyence .NET apps (VR-3000 G2 only)
+# ============================================================================
+# REQUIREMENT BEFORE IMAGING: the bay's hostname must be reported to GE
+# InfoSec and added to the documented FIPS-exception list. Do not image a
+# VR-3000 G2 bay through this path without that ticket on record.
+#
+# Why: Keyence VR-series Viewer / Analyzer / Inspection apps read EEPROM
+# calibration from the probe and verify it via MD5CryptoServiceProvider.
+# Under Intune-enforced LSA FIPS policy that ctor throws (see
+# keyence3000.txt / .png in pxe-images for the dialog + stack trace).
+# Patch every .exe.config under C:\Program Files\KEYENCE\<model>\ with
+# <runtime><enforceFIPSPolicy enabled="false"/></runtime>.
+#
+# Scope: app-level CLR only. Does NOT touch OS-wide Lsa policy. Intune /
+# Defender baselines on the Lsa key remain enforced. CMMC posture: scoped
+# exception, non-CUI integrity hash, documented in SSP. Currently only
+# approved for VR-3000 G2 model; vr5000 / vr6000 bays do not auto-apply.
+if ($model -eq 'vr3000') {
+    $fipsPatch = Join-Path $PSScriptRoot 'common\Patch-KeyenceFipsConfigs.ps1'
+    if (Test-Path -LiteralPath $fipsPatch) {
+        Write-KeyenceLog "Running FIPS opt-out patch (VR-3000 G2): $fipsPatch"
+        Write-KeyenceLog "  REMINDER: confirm bay hostname is on InfoSec FIPS-exception list before production cutover"
+        try {
+            & $fipsPatch 2>&1 | ForEach-Object { Write-KeyenceLog "  $_" }
+        } catch {
+            Write-KeyenceLog "  FIPS patch failed: $_" 'WARN'
+        }
+    } else {
+        Write-KeyenceLog "Patch-KeyenceFipsConfigs.ps1 not found at $fipsPatch - FIPS opt-out skipped" 'WARN'
+    }
+} else {
+    Write-KeyenceLog "FIPS opt-out patch not applied: model=$model (only vr3000 currently approved)"
+}
+
 # ============================================================================
 # Step 2: OpenText auto-start at login (HostExplorer "WJ Shopfloor" session)
 # ============================================================================