Register-GEEnforce: use SHA-256 instead of MD5 for per-PC jitter offset

FIPS-enforced PCs (System cryptography GPO) reject non-approved
algorithms at the .NET crypto API level. MD5 throws
"This implementation is not part of the Windows Platform FIPS
validated cryptographic algorithms" on .Create(), which aborts
Register-GEEnforce before the scheduled task is built.

SHA-256 is FIPS 180-4 approved and its default .NET provider is
validated, so SHA256.Create() works under FIPS mode. Functionally
equivalent for the 0-4 minute modulo we need for jitter.

Hit this live on the first production retrofit. Enforcer runtime
files were copied and legacy tasks were unregistered, but the new
task creation aborted. Rerunning Deploy-GEEnforce.ps1 is idempotent
and recovers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/common/Register-GEEnforce.ps1

@@ -57,8 +57,11 @@ $action = New-ScheduledTaskAction `
 # --- Triggers ---
 # Per-PC random offset [0, 5) min so 200 PCs don't all fire on :00/:05/:10/...
 # Derived from hostname hash so the same PC always picks the same offset.
+# SHA-256 instead of MD5 because FIPS-enforced PCs (System Cryptography
+# Group Policy) disable MD5 entirely and would throw here; SHA-256 is
+# FIPS 180-4 approved.
 $hostHash = [System.BitConverter]::ToUInt32(
-    [System.Security.Cryptography.MD5]::Create().ComputeHash(
+    [System.Security.Cryptography.SHA256]::Create().ComputeHash(
         [System.Text.Encoding]::UTF8.GetBytes($env:COMPUTERNAME)), 0)
 $offsetMin = $hostHash % 5     # 0..4