WIP: add Windows Update template with online COM API updates

Add essentials.windowsUpdate template that boots Audit Mode, uses the
Windows Update COM API to search/download/install all available updates
(cumulative, .NET, Defender), handles multi-round reboots with Audit
Mode preservation, and compacts the image afterward.

Known issues being worked:
- Audit Mode preservation after update reboot needs verification
- Install takes ~60-90 min with 4GB RAM on slow machines

Includes full session notes in wip/ with detailed test log, build
commands, issue analysis, timing data, and Claude memory files.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

wip/claude-memory/MEMORY.md

@@ -0,0 +1,41 @@
+# vmix.nix Project Memory
+
+## Build Preferences
+- Always use VNC display (`:1` / port 5901) when building Windows images so progress can be monitored
+- Pass `vncDisplay = ":1"` to customizeImage templates for build monitoring
+- Use `gvnccapture localhost:1 /tmp/screenshot.png` to take VNC screenshots (package: gtk-vnc)
+- For VNC inside vmix namespace: `ip netns exec windows.vmix nix-shell -p gtk-vnc --run 'gvnccapture 127.0.0.1:1 /tmp/screenshot.png'`
+
+## Key Architecture
+- Offline registry uses `ControlSet001` (not `CurrentControlSet`) for virt-win-reg merges
+- Sysprep resets offline registry changes — RDP must be re-enabled in post-OOBE script
+- TermService won't listen on port 3389 in Audit Mode without a password on Administrator
+- `LimitBlankPasswordUse=0` alone is NOT sufficient for RDP in Audit Mode — password required
+- OOBE AutoLogon `<Password>` in unattend XML is unreliable — set via `reg add` in post-oobe.cmd instead
+- OOBE creates user with blank password regardless of unattend — set real password via `net user` in post-oobe.cmd
+- `sc config` can fail silently for some services — use `reg add` to set `Start` value directly
+
+## RDP on Win10 IoT Enterprise LTSC 2021
+- **CRITICAL**: `rdpwd.sys` and `tdtcp.sys` don't exist in this Windows build (removed in 19041+)
+- `termsrv.dll` version is `10.0.19041.1202` — not supported by RDPWrap v1.6.2 or community INI files
+- TermService runs but never creates the `rdp-tcp` WinStation listener — no port 3389
+- The ISO (`en-us_windows_10_iot_enterprise_ltsc_2021_x64_dvd_257ad90f.iso`) has 2 indexes:
+  - Index 1: Windows 10 Enterprise LTSC 2021
+  - Index 2: Windows 10 IoT Enterprise LTSC 2021
+- Product key `M7XTQ-FN8P6-TTKYV-9D4CC-J462D` = Enterprise LTSC (not IoT)
+- MAS HWID activation switches edition to IoT Enterprise S (partial key YY74H)
+- **TODO**: Either generate custom RDPWrap config for termsrv 10.0.19041.1202, use a different ISO, or use third-party RDP server
+
+## generalize.nix Changes
+- `enableRDP` flag added — applies RDP settings in post-oobe.cmd (survives sysprep)
+- AutoLogon fix: blank password in unattend, real password + AutoAdminLogon registry in post-oobe.cmd
+- `LogonCount=999` for persistent AutoLogon
+- SessionEnv + UmRdpService set to auto-start via `reg add` (Start=2)
+- Firewall: `Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'` + `Set-NetFirewallRule -Profile Any`
+
+## labv2.nix junto Deployment
+- vmix flake input rev is pinned in `flake.nix` — must update the URL to change versions
+- Use `path:/storage/gitrepos/vmix.nix` for local dev, `git+https://...?rev=<hash>` for production
+- `colmena apply-local` doesn't support `--override-input`
+- DNS: `dns.resolver.useHostResolvConf = true` breaks when host uses systemd-resolved (127.0.0.53) — use explicit upstream like `1.1.1.1`
+- QEMU Guest Agent socket at `/tmp/qga-win10.sock` — use from inside namespace