diff --git a/playbook/shopfloor-setup/common/Register-GEEnforce.ps1 b/playbook/shopfloor-setup/common/Register-GEEnforce.ps1
index 81c154b..0d6f0c5 100644
--- a/playbook/shopfloor-setup/common/Register-GEEnforce.ps1
+++ b/playbook/shopfloor-setup/common/Register-GEEnforce.ps1
@@ -57,8 +57,11 @@ $action = New-ScheduledTaskAction `
 # --- Triggers ---
 # Per-PC random offset [0, 5) min so 200 PCs don't all fire on :00/:05/:10/...
 # Derived from hostname hash so the same PC always picks the same offset.
+# SHA-256 instead of MD5 because FIPS-enforced PCs (System Cryptography
+# Group Policy) disable MD5 entirely and would throw here; SHA-256 is
+# FIPS 180-4 approved.
 $hostHash = [System.BitConverter]::ToUInt32(
-    [System.Security.Cryptography.MD5]::Create().ComputeHash(
+    [System.Security.Cryptography.SHA256]::Create().ComputeHash(
         [System.Text.Encoding]::UTF8.GetBytes($env:COMPUTERNAME)), 0)
 $offsetMin = $hostHash % 5     # 0..4