Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24

Single-site bay-stuck issue at WJ: GE Intune Report IP script filters
Get-NetIPAddress on StartsWith("10.") and posts everything matching
to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP
captured and reported -> GE backend tags bays as on a non-corp 10.x
subnet -> dynamic group eligibility for SFLD policy never matches.
Other GE sites work because their PXE LANs aren't on 10.x at all.

Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally
skips wired PXE addresses without any disable-NIC dance.

Server-side already in flight (netplan dual-bound, dnsmasq scope +
boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript
all sed'd to 172.16.9.1). This commit is the playbook / scripts /
docs side: 109 hits across 35 files sed'd in one shot.

After this lands + boot.wim is rebuilt + bays renumber off DHCP,
the 10.9.100.1 binding will be dropped from netplan as the final
cleanup step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Shopfloor/lib/Disable-WiredNics.ps1

@@ -5,7 +5,7 @@
 #
 # Reason: GE's Intune Proactive-Remediation "Report IP" script enumerates
 # Get-NetIPAddress and POSTs every IP it finds to a GE webhook. When a
-# shopfloor bay is still cabled to the air-gapped PXE LAN (10.9.100.0/24),
+# shopfloor bay is still cabled to the air-gapped PXE LAN (172.16.9.0/24),
 # the webhook sees 10.9.100.x as one of the device's IPs and tags the bay
 # "not on corp net". A dynamic group / assignment-filter at GE then excludes
 # the bay from receiving the SFLD ConfigurationProfile (Function + SasToken