From def21bca57c903e26ed903c1d51f745f3fb7fab7 Mon Sep 17 00:00:00 2001
From: Git Sagar <git@sagar.ch>
Date: Sun, 7 Jun 2026 15:57:17 +0530
Subject: [PATCH] add enableRDP flag to generalize and fix AutoLogon

- generalize.nix: add enableRDP option that re-enables RDP in
  post-oobe.cmd after sysprep resets registry (firewall rules,
  TermService auto-start, disable NLA)
- Fix OOBE AutoLogon: create user with blank password (Windows
  ignores unattend passwords), set real password via net user in
  post-oobe.cmd, and explicitly set AutoAdminLogon registry values
- Add LogonCount=999 for persistent AutoLogon across reboots
- Remove unused rdpEntries import from registry/default.nix

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 lib/images/windows/templates/generalize.nix   | 33 +++++++++++++++++--
 .../windows/templates/registry/default.nix    |  1 -
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/lib/images/windows/templates/generalize.nix b/lib/images/windows/templates/generalize.nix
index 6d259f9..f0c4712 100644
--- a/lib/images/windows/templates/generalize.nix
+++ b/lib/images/windows/templates/generalize.nix
@@ -19,6 +19,8 @@ in
   timezone ? "UTC",
   # Desktop background solid color as hex string (e.g. "8e8cd8")
   bgColor ? null,
+  # Enable Remote Desktop for the created user (re-applied after sysprep)
+  enableRDP ? false,
   # delayOobeRun = true: sysprep only, OOBE + activation on real hardware
   # delayOobeRun = false: sysprep + OOBE + activation in build VM
   delayOobeRun ? false,
@@ -53,6 +55,18 @@ in
     reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
     ''}
 
+    ${lib.optionalString (password != "") ''
+    :: Set user password (OOBE creates with blank password for reliable AutoLogon)
+    net user "${username}" "${password}"
+    ''}
+
+    :: Set AutoLogon via registry (OOBE unattend AutoLogon is unreliable)
+    ${lib.optionalString autoLogon ''
+    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d "1" /f
+    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d "${username}" /f
+    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "${password}" /f
+    ''}
+
     :: Kill sysprep if it was triggered via CopyProfile'd startup entries
     taskkill /f /im sysprep.exe 2>nul
     :: Clean any leftover RunOnce/Run entries from audit phase
@@ -78,6 +92,20 @@ in
     )
     del /q C:\MAS_AIO.cmd 2>nul
 
+    ${lib.optionalString enableRDP ''
+    :: Enable RDP
+    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
+    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
+    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f
+    :: Firewall rules for RDP (TCP + UDP)
+    netsh advfirewall firewall add rule name="RDP TCP" dir=in protocol=tcp localport=3389 action=allow
+    netsh advfirewall firewall add rule name="RDP UDP" dir=in protocol=udp localport=3389 action=allow
+    :: Enable and restart TermService
+    sc config TermService start= auto
+    net stop TermService /y 2>nul
+    net start TermService
+    ''}
+
     :: Clean up
     del /q C:\oobe-unattend.xml 2>nul
     del /q C:\vmix-audit-script.cmd 2>nul
@@ -126,7 +154,7 @@ in
             <LocalAccounts>
               <LocalAccount wcm:action="add">
                 <Password>
-                  <Value>${password}</Value>
+                  <Value></Value>
                   <PlainText>true</PlainText>
                 </Password>
                 <Group>Administrators</Group>
@@ -136,10 +164,11 @@ in
           </UserAccounts>
           <AutoLogon>
             <Password>
-              <Value>${password}</Value>
+              <Value></Value>
               <PlainText>true</PlainText>
             </Password>
             <Enabled>true</Enabled>
+            <LogonCount>999</LogonCount>
             <Username>${username}</Username>
           </AutoLogon>
           <ComputerName>${hostname}</ComputerName>
diff --git a/lib/images/windows/templates/registry/default.nix b/lib/images/windows/templates/registry/default.nix
index 2750934..73a3f6a 100644
--- a/lib/images/windows/templates/registry/default.nix
+++ b/lib/images/windows/templates/registry/default.nix
@@ -9,7 +9,6 @@ let
     ${entries}
   '';
 
-  rdpEntries = import ./rdp.nix;
   telemetryEntries = import ./telemetry.nix;
   errorReportingEntries = import ./error-reporting.nix;
   defenderEntries = import ./defender.nix;