Stage GE MachineAuth profiles at imaging time (AESFMA auto-join)

Hypothesis test for WJ Phase 2 stuck issue. GE Report IP script
filters Get-NetIPAddress on StartsWith("10.") - WJ bays don't see
ANY 10.x because:
 - PXE LAN is 10.9.100.x (we'd disable wired anyway to avoid leak)
 - Internet WiFi at site is 172.16.x (filter rejects)
 - AESFMA corp WiFi (10.x) requires machine cert that Intune SCEP
   provisions a few minutes AFTER PPKG enrollment

Result: Report IP webhook gets nothing -> GE backend never sees the
bay -> bay never enters the dynamic group that SFLD policy is
assigned to. Other GE sites work because their corp WiFi/wired is
on a real 10.x corp network and the script always finds a 10.x to
report.

Drop the MA package (8021x.xml + AESFMA.xml + multi-NIC bat) onto
each bay early in Run-ShopfloorSetup, run MA4NetworkConfigv2.bat to
import both profiles to every physical wired + wireless adapter.
AESFMA.xml patched to connectionMode=auto (default V02 was manual)
so WLAN service auto-joins as soon as the SCEP cert lands. Bay
gets a real 10.x corp address. Report IP webhook fires cleanly.

Profile XMLs (8021x.xml, AESFMA.xml, BLUESSO.xml, WiFi-Profile.xml,
*.wlanprofile, *.lanprofile) added to .gitignore - they contain
GE-internal SSID + trusted-root thumbprint and are staged on the
PXE enrollment share at /srv/samba/enrollment/MachineAuth/ instead
of git.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -82,6 +82,16 @@ secrets.yml
 *_secrets
 credentials.json
 
+# GE-internal WiFi / 802.1X profiles - contain SSID + trusted-root thumbprint.
+# Staged on PXE share at /srv/samba/enrollment/MachineAuth/ and copied to
+# bays during imaging. Never check these into git.
+AESFMA.xml
+8021x.xml
+BLUESSO.xml
+WiFi-Profile.xml
+*.wlanprofile
+*.lanprofile
+
 # Pre-staged binary (142 MB) - track via LFS or stage on PXE server, not in regular git
 playbook/shopfloor-setup/Shopfloor/PrinterInstallerMap.exe