Move wired-disable from stage 2 to post-PPKG-return

Push stages 2-6 to dashboard before going dark. Wired stays up through
PPKG enrollment so all standard imaging progress lights up the dashboard
card. Disable fires AFTER idx=6 push (handoff to Monitor PostPpkg) +
BEFORE PostPpkg settle's Schedule #3 hammer + BEFORE the PPKG-driven
reboot + BEFORE IME starts firing Report IP. Result: dashboard shows
2-6 cleanly, dark from 6 to 7, then catches up at 7 with QR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

playbook/shopfloor-setup/Run-ShopfloorSetup.ps1

@@ -41,23 +41,6 @@ function Report-Stage {
 }
 Report-Stage -Stage 'Run-ShopfloorSetup: starting' -Index 2
 
-# Kill wired NICs immediately after stage 2 push. Goal: GE Intune Report
-# IP webhook only ever sees this bay's corp-WiFi IP, never the PXE LAN
-# (10.9.100.x) IP. Otherwise GE backend tags the bay "not on corp net"
-# and dynamic-group assignment filters exclude it from the SFLD
-# ConfigurationProfile -> Phase 2 stuck forever.
-# Monitor-IntuneProgress re-enables wired once
-# C:\Logs\GE_Report_IP_Address*.txt appears (proof the webhook fire saw
-# the corp IP it needed). Side effect during disabled window:
-# Send-PxeStatus pushes from stages 3-6 fail silently (PXE server lives
-# on the air-gapped 10.9.100.0/24 LAN). Dashboard catches up at idx=7.
-$disableWiredScript = Join-Path $PSScriptRoot 'shopfloor-setup\Shopfloor\lib\Disable-WiredNics.ps1'
-if (Test-Path -LiteralPath $disableWiredScript) {
-    try { & $disableWiredScript } catch { Write-Warning "Disable-WiredNics threw: $_" }
-} else {
-    Write-Warning "Disable-WiredNics.ps1 not found at $disableWiredScript - wired stays up (Report IP leak risk)"
-}
-
 # AutoLogonCount is NOT set here. Previously we bumped it to 99/4, but
 # Windows decrements it per-logon and at 0 clears AutoAdminLogon -- which
 # nukes the lockdown-configured ShopFloor autologon later in the chain.
@@ -493,13 +476,24 @@ if (Test-Path -LiteralPath $enrollScript) {
     try { Stop-Transcript | Out-Null } catch {}
     & $enrollScript
 
-    # PPKG completes -> we're back here with a pending shutdown timer.
-    # Hand off to Monitor in -PostPpkg mode. Monitor cancels the shutdown,
-    # settles, renders live status, then issues its own reboot. The
-    # persistent @logon sync_intune task fires on the next boot to resume
-    # tracking through device-category-assignment + lockdown.
+    # idx=6 push happens BEFORE wired disable so the dashboard captures
+    # the handoff stage. Disable-WiredNics comes right after - kills wired
+    # before PostPpkg settle's Schedule #3 hammer hits Intune endpoints,
+    # before the PPKG-driven reboot, and before IME starts firing the
+    # Report IP script. Goal: GE's Report IP webhook only ever sees the
+    # corp-WiFi IP, never PXE LAN (10.9.100.x). Monitor-IntuneProgress
+    # re-enables wired once C:\Logs\GE_Report_IP_Address*.txt shows up
+    # (proof of clean Report IP fire) and then pushes idx=7.
     Write-Host ""
     Report-Stage -Stage 'Run-ShopfloorSetup: handoff to Monitor-IntuneProgress' -Index 6
+
+    $disableWiredScript = Join-Path $PSScriptRoot 'shopfloor-setup\Shopfloor\lib\Disable-WiredNics.ps1'
+    if (Test-Path -LiteralPath $disableWiredScript) {
+        try { & $disableWiredScript } catch { Write-Warning "Disable-WiredNics threw: $_" }
+    } else {
+        Write-Warning "Disable-WiredNics.ps1 not found at $disableWiredScript - wired stays up (Report IP leak risk)"
+    }
+
     Write-Host "=== Handing off to Monitor-IntuneProgress -PostPpkg ==="
     cmd /c "shutdown /a 2>nul" | Out-Null
     $monitor = Join-Path $setupDir 'Shopfloor\lib\Monitor-IntuneProgress.ps1'