From ba03f6346584adb4e0a2437ca03ef39e4e720cf3 Mon Sep 17 00:00:00 2001 From: cproudlock Date: Wed, 22 Apr 2026 12:39:26 -0400 Subject: [PATCH] Register-GEEnforce: use SHA-256 instead of MD5 for per-PC jitter offset FIPS-enforced PCs (System cryptography GPO) reject non-approved algorithms at the .NET crypto API level. MD5 throws "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms" on .Create(), which aborts Register-GEEnforce before the scheduled task is built. SHA-256 is FIPS 180-4 approved and its default .NET provider is validated, so SHA256.Create() works under FIPS mode. Functionally equivalent for the 0-4 minute modulo we need for jitter. Hit this live on the first production retrofit. Enforcer runtime files were copied and legacy tasks were unregistered, but the new task creation aborted. Rerunning Deploy-GEEnforce.ps1 is idempotent and recovers. Co-Authored-By: Claude Opus 4.7 (1M context) --- playbook/shopfloor-setup/common/Register-GEEnforce.ps1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbook/shopfloor-setup/common/Register-GEEnforce.ps1 b/playbook/shopfloor-setup/common/Register-GEEnforce.ps1 index 81c154b..0d6f0c5 100644 --- a/playbook/shopfloor-setup/common/Register-GEEnforce.ps1 +++ b/playbook/shopfloor-setup/common/Register-GEEnforce.ps1 @@ -57,8 +57,11 @@ $action = New-ScheduledTaskAction ` # --- Triggers --- # Per-PC random offset [0, 5) min so 200 PCs don't all fire on :00/:05/:10/... # Derived from hostname hash so the same PC always picks the same offset. +# SHA-256 instead of MD5 because FIPS-enforced PCs (System Cryptography +# Group Policy) disable MD5 entirely and would throw here; SHA-256 is +# FIPS 180-4 approved. $hostHash = [System.BitConverter]::ToUInt32( - [System.Security.Cryptography.MD5]::Create().ComputeHash( + [System.Security.Cryptography.SHA256]::Create().ComputeHash( [System.Text.Encoding]::UTF8.GetBytes($env:COMPUTERNAME)), 0) $offsetMin = $hostHash % 5 # 0..4