00-PreInstall: pre-stage udc_webserver_settings.json + firewall/NetFx3 hardening

Add staging block that copies udc_webserver_settings.json from the enrollment
share to C:\ProgramData\UDC during preinstall, mirroring the existing
udc_settings.json pattern. New PCs were imaging without UDC web server
config because the file was never wired into the imaging flow (only the
remote-maintenance task in powershell/remote-execution touched it).

Also folds in two prior uncommitted hardening blocks in the same script:
firewall NotifyOnListen=False (suppress Oracle OUI's listen-port prompt)
and NetFx3 pre-enable (Oracle 11.2's welcome path needs .NET 3.5).

playbook/shopfloor-setup/Shopfloor/00-PreInstall-MachineApps.ps1

@@ -180,6 +180,54 @@ if ($machineNum -and $machineNum -ne '9999') {
     }
 }
 
+$udcWebSrc = 'C:\Enrollment\shopfloor-setup\Standard\udc_webserver_settings.json'
+$udcWebDst = 'C:\ProgramData\UDC\udc_webserver_settings.json'
+if (Test-Path -LiteralPath $udcWebSrc) {
+    if (-not (Test-Path 'C:\ProgramData\UDC')) {
+        New-Item -Path 'C:\ProgramData\UDC' -ItemType Directory -Force | Out-Null
+    }
+    Copy-Item -Path $udcWebSrc -Destination $udcWebDst -Force
+    Write-PreInstallLog "Pre-staged UDC webserver settings from $udcWebSrc -> $udcWebDst"
+} else {
+    Write-PreInstallLog "No UDC webserver settings file at $udcWebSrc" "WARN"
+}
+
+# --- Suppress Windows Defender Firewall "Allow access" prompts globally for
+#     this preinstall pass. Oracle's OUI extracts a JRE to a per-run
+#     %TEMP%\OraInstall<timestamp>\jdk\jre\bin\java.exe and binds a localhost
+#     port, which trips the unsigned-app firewall dialog. The temp path is
+#     timestamp-randomized so a path-based -Program rule can't match it.
+#     Turning off NotifyOnListen stops the prompt without weakening the
+#     firewall's actual block decisions.
+try {
+    Set-NetFirewallProfile -Profile Domain,Public,Private -NotifyOnListen False -ErrorAction Stop
+    Write-PreInstallLog "Firewall NotifyOnListen disabled (Domain/Public/Private)"
+} catch {
+    Write-PreInstallLog "Failed to disable firewall NotifyOnListen: $_" "WARN"
+}
+
+# --- Pre-enable .NET Framework 3.5. Oracle 11.2 OUI uses a .NET 2.0/3.5
+#     component on its welcome path; on Win10/11 NetFx3 is OFF by default
+#     and the first 3.5 API call pops the "Download and install this feature"
+#     dialog. Enable-WindowsOptionalFeature pulls payload from Windows Update
+#     when available; on hosts without internet at preinstall time this will
+#     fail and Oracle will still prompt (TODO: stage NetFx3 sxs cab on image
+#     and pass -Source for true air-gap support). Idempotent no-op when
+#     already enabled. Mirrors the per-PC enable in CMM/09-Setup-CMM.ps1.
+try {
+    $netfx = Get-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -ErrorAction Stop
+    if ($netfx.State -eq 'Enabled') {
+        Write-PreInstallLog ".NET Framework 3.5 already enabled"
+    } else {
+        Write-PreInstallLog ".NET Framework 3.5 state is $($netfx.State) - enabling now (may take a minute)..."
+        $result = Enable-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -All -NoRestart -ErrorAction Stop
+        Write-PreInstallLog "  Enable-WindowsOptionalFeature RestartNeeded=$($result.RestartNeeded)"
+    }
+} catch {
+    Write-PreInstallLog "Failed to enable .NET 3.5: $_" "WARN"
+    Write-PreInstallLog "  Continuing - Oracle and other 3.5-dependent installers may surface a Windows feature-install prompt"
+}
+
 # --- Pre-create Windows Firewall rules for UDC + MTConnect Agent so the
 #     installer doesn't pop firewall-allow dialogs during silent install.
 #     Rules are idempotent (New-NetFirewallRule -ErrorAction SilentlyContinue