Reorganize repo, enrollment share taxonomy, Blancco USB-build fixes, v4.10 PPKGs

Workstation reorganization:
- All build/deploy/helper scripts moved into scripts/ (paths updated to use
  REPO_ROOT instead of SCRIPT_DIR so they resolve sibling dirs from the new
  depth)
- New config/ directory placeholder for site-specific overrides
- Removed stale: mok-keys/, test-vm.sh, test-lab.sh, setup-guide-original.txt,
  unattend/ (duplicate of moved playbook/FlatUnattendW10.xml)
- README.md and SETUP.md structure listings updated, dead "Testing with KVM"
  section removed
- .claude/ gitignored

Enrollment share internal taxonomy (forward-looking; existing servers
unaffected since they keep their current boot.wim with flat paths):
- Single SMB share kept (WinPE only mounts one Y: drive), but content now
  organised into ppkgs/, scripts/, config/, shopfloor-setup/, pre-install/{bios,
  installers}, installers-post/cmm/, blancco/, logs/
- README.md deployed to share root explaining each subdir
- New playbook tasks deploy site-config.json + wait-for-internet.ps1 +
  migrate-to-wifi.ps1 explicitly (were ad-hoc on legacy servers)
- BIOS subdir moved into pre-install/bios/, preinstall/ renamed to pre-install/
- startnet.cmd + startnet-template.cmd updated with new Y:\subdir\ paths
- Bumped GCCH PPKG references v4.9 -> v4.10

Blancco USB-build fixes (so next fresh USB install boots Blancco end-to-end
without the manual fixup we did against GOLD):
- grub-blancco.cfg: kernel/initrd switched HTTP -> TFTP (GRUB's HTTP module
  times out on multi-MB files); added modprobe.blacklist=iwlwifi,iwlmvm,btusb
  (WiFi drivers hang udev on Intel business PCs)
- grubx64.efi rebuilt from updated cfg
- Playbook task added to create /srv/tftp/blancco/ symlinks pointing at the
  HTTP-served binaries

run-enrollment.ps1: OOBEComplete is now set AFTER PPKG install (Win11 22H2+
hangs indefinitely if OOBEComplete is set before the bulk-enrollment PPKG runs).

Also includes deploy-bios.sh / pull-bios.sh / busybox-static / models.txt
that were sitting untracked at the repo root.

scripts/deploy-bios.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# deploy-bios.sh - Deploy BIOS update files to a running PXE server
+# Copies Flash64W.exe, BIOS binaries, models.txt, and check-bios.cmd
+#
+# Usage: ./deploy-bios.sh [server-ip]
+#   Default server: 10.9.100.1
+
+set -e
+
+REPO_ROOT="$(cd "$(dirname "$0")"/.. && pwd)"
+PXE_SERVER="${1:-10.9.100.1}"
+PXE_USER="pxe"
+PXE_PASS="pxe"
+REMOTE_DIR="/srv/samba/enrollment/BIOS"
+BIOS_DIR="$REPO_ROOT/bios-staging"
+MANIFEST="$REPO_ROOT/playbook/shopfloor-setup/BIOS/models.txt"
+CHECK_SCRIPT="$REPO_ROOT/playbook/shopfloor-setup/BIOS/check-bios.cmd"
+
+SSH="sshpass -p $PXE_PASS ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 $PXE_USER@$PXE_SERVER"
+SCP="sshpass -p $PXE_PASS scp -o StrictHostKeyChecking=no -o ConnectTimeout=10"
+
+# Verify sources exist
+if [ ! -d "$BIOS_DIR" ] || [ -z "$(ls -A "$BIOS_DIR" 2>/dev/null)" ]; then
+    echo "ERROR: bios-staging/ is empty or missing. Run ./pull-bios.sh first."
+    exit 1
+fi
+
+if [ ! -f "$MANIFEST" ]; then
+    echo "ERROR: playbook/shopfloor-setup/BIOS/models.txt not found."
+    exit 1
+fi
+
+echo "Deploying BIOS files to $PXE_SERVER..."
+
+# Create remote directory
+$SSH "sudo mkdir -p '$REMOTE_DIR' && sudo chown $PXE_USER:$PXE_USER '$REMOTE_DIR'"
+
+# Copy check-bios.cmd and models.txt
+echo "  Copying check-bios.cmd + models.txt..."
+$SCP "$CHECK_SCRIPT" "$MANIFEST" "$PXE_USER@$PXE_SERVER:$REMOTE_DIR/"
+
+# Copy BIOS binaries
+COUNT=$(find "$BIOS_DIR" -name '*.exe' | wc -l)
+SIZE=$(du -sh "$BIOS_DIR" | cut -f1)
+echo "  Copying $COUNT BIOS binaries ($SIZE)..."
+$SCP "$BIOS_DIR"/*.exe "$PXE_USER@$PXE_SERVER:$REMOTE_DIR/"
+
+# Verify
+REMOTE_COUNT=$($SSH "find '$REMOTE_DIR' -name '*.exe' | wc -l")
+echo "Done: $REMOTE_COUNT files on $PXE_SERVER:$REMOTE_DIR"