Auto-flush stale SMB/conntrack state on DHCP lease, one-source PPKG model

Three changes that go together so a re-image never hits "System error 53":

1. dnsmasq dhcp-script hook (playbook/pxe-server-helpers/pxe-dhcp-hook.sh)
   Fires on every add/del lease event. Runs conntrack -D and ss -K for the
   client IP so any stale ESTABLISHED SMB session from a previous boot is
   cleared before the client reconnects. Runs as root (dnsmasq default).
   Wired into /etc/dnsmasq.conf via dhcp-script= directive in the playbook.

2. One-source PPKG (playbook/startnet.cmd + startnet-template.cmd)
   The 5 per-Office PPKG copies were bit-for-bit identical; only the
   filename differs because BPRT parses Office and Region out of the name.
   Store one source file (e.g. GCCH_Prod_SFLD_v4.11.ppkg) and construct
   the BPRT-tagged target filename at menu-selection time from variables:
     SOURCE_PPKG / PPKG_VER / PPKG_EXP / REGION / OFFICE
   copy /Y "Y:\ppkgs\%SOURCE_PPKG%" "W:\Enrollment\%PPKG%"
   Bumped PPKG_VER v4.10 -> v4.11 and PPKG_EXP 20260430 -> 20270430.
   Saves ~30G on disk per version.

3. run-enrollment.ps1 already committed in 5a9c3db uses provtool.exe
   directly (no PowerShell cmdlet 180s timeout). Included here because it
   is part of the same end-to-end PPKG path.

startnet-template.cmd

@@ -66,14 +66,28 @@ echo   5. Pro Plus Office (x64) with Access
 echo   6. Skip enrollment
 echo.
 set /p enroll=Enter your choice (1-6):
-if "%enroll%"=="1" set PPKG=GCCH_Prod_SFLD_NoOffice_US_Exp_20260430_v4.10.ppkg
-if "%enroll%"=="2" set PPKG=GCCH_Prod_SFLD_StdOffice-x86_US_Exp_20260430_v4.10.ppkg
-if "%enroll%"=="3" set PPKG=GCCH_Prod_SFLD_StdOffice-x64_US_Exp_20260430_v4.10.ppkg
-if "%enroll%"=="4" set PPKG=GCCH_Prod_SFLD_ProPlusOffice-x86_US_Exp_20260430_v4.10.ppkg
-if "%enroll%"=="5" set PPKG=GCCH_Prod_SFLD_ProPlusOffice-x64_US_Exp_20260430_v4.10.ppkg
-if "%enroll%"=="6" set PPKG=
+
+REM --- PPKG configuration (constructed at menu time, see docs) ---
+REM Vendor ships one source PPKG; we construct the BPRT-tagged filename
+REM by filling in Office, Region, Expiry, Version on the target copy.
+REM Update SOURCE_PPKG + PPKG_VER when a new PPKG is released.
+set SOURCE_PPKG=GCCH_Prod_SFLD_v4.11.ppkg
+set PPKG_VER=v4.11
+set PPKG_EXP=20270430
+set REGION=US
+
+set OFFICE=
+if "%enroll%"=="1" set OFFICE=NoOffice
+if "%enroll%"=="2" set OFFICE=StdOffice-x86
+if "%enroll%"=="3" set OFFICE=StdOffice-x64
+if "%enroll%"=="4" set OFFICE=ProPlusOffice-x86
+if "%enroll%"=="5" set OFFICE=ProPlusOffice-x64
+if "%enroll%"=="6" set OFFICE=
 if "%enroll%"=="" goto enroll_menu
 
+set PPKG=
+if not "%OFFICE%"=="" set PPKG=GCCH_Prod_SFLD_%OFFICE%_%REGION%_Exp_%PPKG_EXP%_%PPKG_VER%.ppkg
+
 :pctype_menu
 cls
 echo.
@@ -158,8 +172,8 @@ if not "%PCTYPE%"=="" set NEED_ENROLL=1
 if "%NEED_ENROLL%"=="0" goto enroll_staged
 net use Y: \\10.9.100.1\enrollment /user:pxe-upload pxe /persistent:no
 if "%PPKG%"=="" goto enroll_staged
-if not exist "Y:\ppkgs\%PPKG%" (
-    echo WARNING: %PPKG% not found on server. Enrollment will be skipped.
+if not exist "Y:\ppkgs\%SOURCE_PPKG%" (
+    echo WARNING: %SOURCE_PPKG% not found on server. Enrollment will be skipped.
     set PPKG=
 )
 :enroll_staged
@@ -258,9 +272,9 @@ if exist "Y:\config\site-config.json" (
     echo WARNING: site-config.json not found on enrollment share.
 )
 
-REM --- Copy PPKG if selected ---
+REM --- Copy PPKG if selected (renames from SOURCE to BPRT-tagged filename) ---
 if "%PPKG%"=="" goto copy_pctype
-copy /Y "Y:\ppkgs\%PPKG%" "W:\Enrollment\%PPKG%"
+copy /Y "Y:\ppkgs\%SOURCE_PPKG%" "W:\Enrollment\%PPKG%"
 if errorlevel 1 (
     echo WARNING: Failed to copy enrollment package.
     goto copy_pctype