Add QEMU Windows 11 template with CUA computer-server support

[synacktraa]

Cua.Windows.Test.mp4

Summary

This PR adds a production-ready QEMU-based Windows 11 container to the libs/qemu directory, enabling CUA agents to interact with Windows desktop environments through the CUA computer-server.

Recent Updates (Nov 9, 2025)

Fixed critical issues from initial implementation:

• ✅ CUA server now installs correctly using isolated Python virtual environment
• ✅ Both CUA server and Caddy proxy run hidden in background (no visible windows)
• ✅ Golden image creation completes automatically without blocking
• ✅ Boot from golden image works reliably (added windows.boot marker file)
• ✅ Container lifecycle properly managed (exits during setup, stays alive during runtime)

What's New

• Windows 11 in Docker: Enterprise edition running in QEMU/KVM with CUA computer-server and Caddy proxy
• Hidden background services: Both services run via Windows scheduled tasks with LogonType S4U
• Virtual environment isolation: CUA server uses isolated Python venv to prevent dependency conflicts
• Automated lifecycle: Detects setup vs runtime mode, manages container lifecycle accordingly
• Dual deployment modes: Support for both dev (shared folder) and azure (OEM folder) modes
• Port forwarding: Server accessible at localhost:5000, noVNC at localhost:8006

Technical Details

Base Image: Uses windowsarena/windows-local:latest instead of windowsarena/winarena-base:latest to avoid unnecessary ML bloat:

• Removes Python 3.9 and ML client dependencies (easyocr, onnxruntime, etc.)
• Removes CUDA 11.8 libraries
• Removes ML model weights (GroundingDINO, OmniParser)
• Results in significantly smaller image (~25GB reduction)

Architecture:

Container (Linux) → Port Forwarding (socat) → QEMU VM (Windows 11) → CUA computer-server

Files Added

libs/qemu/
├── Dockerfile                          # Multi-stage build for dev/azure modes
├── README.md                           # Comprehensive setup and usage guide
└── src/
    ├── entry.sh                        # Container entrypoint with setup detection and lifecycle management
    └── vm/
        ├── image/                      # Place for setup.iso
        ├── setup/                      # Windows setup scripts
        │   ├── install.bat             # Entry point for Windows setup
        │   ├── setup.ps1               # Main setup orchestration
        │   ├── setup-cua-server.ps1    # CUA server setup with venv isolation
        │   ├── setup-caddy-proxy.ps1   # Caddy proxy setup with scheduled task
        │   ├── on-logon.ps1            # Starts scheduled tasks at user logon
        │   ├── setup-tools.psm1        # PowerShell utilities
        │   └── tools_config.json       # Software download mirrors
        └── unattend-files/             # Unattended installation configs
            ├── dev_win11x64-enterprise-eval.xml
            └── azure_win11x64-enterprise-eval.xml

Usage Example

# 1. Download setup.iso from Microsoft Evaluation Center
# 2. Place in src/vm/image/

# Build
docker build --build-arg DEPLOY_MODE=dev -t cua-windows:dev .

# First run - creates golden image (15-20 min)
docker run -it --rm \
    --device=/dev/kvm \
    --platform linux/amd64 \
    --name cua-windows \
    --mount type=bind,source=$(pwd)/src/vm/image/setup.iso,target=/custom.iso \
    --cap-add NET_ADMIN \
    -v $(pwd)/storage:/storage \
    -p 8006:8006 \
    -p 5000:5000 \
    -e RAM_SIZE=8G \
    -e CPU_CORES=4 \
    -e DISK_SIZE=20G \
    cua-windows:dev

# Subsequent runs - uses golden image (2-5 min)
docker run -it --rm \
    --device=/dev/kvm \
    --platform linux/amd64 \
    --name cua-windows \
    --cap-add NET_ADMIN \
    -v $(pwd)/storage:/storage \
    -p 8006:8006 \
    -p 5000:5000 \
    -e RAM_SIZE=8G \
    -e CPU_CORES=4 \
    -e DISK_SIZE=20G \
    cua-windows:dev

# Access
open http://localhost:8006              # noVNC browser
curl http://localhost:5000/status       # Computer-server API

Breaking Changes

None - this is a new addition to the libs directory.

[f-trycua]

on the subsequent runs, there should be no need to mount again the .iso:

Subsequent runs - uses golden image (2-5 min)

docker run -it --rm
--device=/dev/kvm
--platform linux/amd64
--name cua-windows
--cap-add NET_ADMIN
-v $(pwd)/storage:/storage
-p 8006:8006
-p 5000:5000
-e RAM_SIZE=8G
-e CPU_CORES=4
-e DISK_SIZE=20G
cua-windows:dev

[synacktraa]

on the subsequent runs, there should be no need to mount again the .iso:

Subsequent runs - uses golden image (2-5 min)

docker run -it --rm \

--device=/dev/kvm \

--platform linux/amd64 \

--name cua-windows \

--cap-add NET_ADMIN \

-v $(pwd)/storage:/storage \

-p 8006:8006 \

-p 5000:5000 \

-e RAM_SIZE=8G \

-e CPU_CORES=4 \

-e DISK_SIZE=20G \

cua-windows:dev

Yes, It is documented correctly in the README - I will update the PR comment.

[f-trycua]

Caddy proxy not needed

[f-trycua]

not needed

[f-trycua]

are we re-installing python? Pheraps you can instead download python through the tool-config.json mechanism.

[f-trycua]

Delete unused

[f-trycua]

not needed