fix RDP: auto-start SessionEnv and UmRdpService, enable firewall rules for all profiles

TermService alone doesn't create the RDP listener — SessionEnv (Remote
Desktop Configuration) and UmRdpService (Port Redirector) must also be
running. Use PowerShell Enable-NetFirewallRule to enable the built-in
Remote Desktop firewall rules for all network profiles instead of
creating custom netsh rules.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lib/images/windows/templates/generalize.nix

@@ -97,13 +97,15 @@ in
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f
-    :: Firewall rules for RDP (TCP + UDP)
-    netsh advfirewall firewall add rule name="RDP TCP" dir=in protocol=tcp localport=3389 action=allow
-    netsh advfirewall firewall add rule name="RDP UDP" dir=in protocol=udp localport=3389 action=allow
-    :: Enable and restart TermService
+    :: Enable RDP firewall rules and services
+    powershell -Command "Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'"
+    powershell -Command "Set-NetFirewallRule -DisplayGroup 'Remote Desktop' -Profile Any"
+    sc config SessionEnv start= auto
+    sc config UmRdpService start= auto
     sc config TermService start= auto
-    net stop TermService /y 2>nul
+    net start SessionEnv
     net start TermService
+    net start UmRdpService
     ''}
 
     :: Clean up