What is dockur/windows?

dockur/windows is an open-source Docker container that runs a full Windows installation with KVM acceleration and a web-based viewer. One docker-compose.yml and you have Windows 11 accessible from your browser, fully isolated from your host machine.

Why sandbox an AI agent like Manus?

Manus My Computer has access to your local files, terminal, and applications. Testing it in a Docker-based VM means if it does something unexpected -- deletes files, runs an unwanted command -- it's contained to the VM, not your real machine.

Does dockur/windows require a Windows license?

It downloads a genuine ISO directly from Microsoft's servers. Windows 11 runs in evaluation mode -- fully functional for testing purposes.

What are the system requirements?

A Linux host with KVM support (most modern CPUs), Docker installed, and enough disk space for the Windows ISO (7.2 GB for Windows 11 Pro). Does not work on macOS or Windows hosts without additional configuration.

Run AI Agents in a Sandbox -- Windows and macOS Inside Docker

By Prahlad Menon Published 2026-03-16 4 min read

This morning Manus launched “My Computer” — their AI agent now running directly on your local machine, with access to files, terminal, and installed applications. 1.5 million views in a few hours.

A Medium article published within hours asked the obvious question: Should you trust Manus with your local files?

The honest answer: maybe, eventually. But not before testing it somewhere that isn’t your real machine.

Here’s how to do that in about 10 minutes.

The problem with local AI agents

The appeal of Manus My Computer is obvious. An AI that can reorganize your project folders, run build scripts, fill out forms while you’re away, and coordinate across your apps is genuinely useful.

The risk is equally obvious. You’re granting an AI — running partly in the cloud — permission to execute terminal commands and modify your file system. A confused model, a maliciously crafted prompt injection, or just an unexpected edge case could do real damage.

Manus does require approval for each terminal command (“Always Allow” or “Allow Once”), which is smart. But even with those guardrails, the safest way to evaluate a new tool with this level of access is in an environment you can throw away.

Enter dockur/windows

dockur/windows is an open-source project that runs a full Windows installation inside a Docker container. KVM-accelerated, full auto-install, web-based viewer — no physical machine, no dual-boot, no cloud VM subscription.

35,000+ GitHub stars. One docker-compose.yml. Windows 11 running in your browser in under 20 minutes.

services:
  windows:
    image: dockurr/windows
    container_name: windows
    environment:
      VERSION: "11"
    devices:
      - /dev/kvm
      - /dev/net/tun
    cap_add:
      - NET_ADMIN
    ports:
      - 8006:8006
      - 3389:3389/tcp
      - 3389:3389/udp
    volumes:
      - ./windows:/storage
    restart: always
    stop_grace_period: 2m

That’s the entire setup. docker compose up, open http://localhost:8006, watch Windows install itself.

Using it to safely test Manus

Once the VM is running:

Open the web viewer at http://localhost:8006 — you have a full Windows 11 desktop
Download and install Manus Desktop inside the VM
Test anything — let it access files, run terminal commands, operate the browser
The VM is your sandbox — your real machine is completely untouched

If Manus does something you don’t expect, docker compose down && docker volume rm windows and you’re back to a clean slate. The whole thing is disposable.

You can also use RDP if you prefer a native remote desktop experience: connect to localhost:3389 with any RDP client.

Windows versions available

dockur/windows supports a surprising range:

Version	Size
Windows 11 Pro	7.2 GB
Windows 11 LTSC	4.7 GB
Windows 10 Pro	5.7 GB
Windows Server 2025	6.7 GB
Windows XP (yes, really)	0.6 GB

ISOs are downloaded directly from Microsoft’s servers — no piracy concerns, no sketchy sources.

Requirements

Linux host with KVM support (most modern Intel/AMD CPUs)
Docker + Docker Compose installed
~10 GB free disk space for the Windows image
Doesn’t work natively on macOS/Windows hosts without additional nested virtualization setup

If you’re running on a Linux VPS or server, this works out of the box. On a Mac, you’d need something like UTM or a cloud VM first.

Bonus: macOS Inside Docker Too

Same team, same approach — dockur/macos does exactly what it sounds like.

services:
  macos:
    image: dockurr/macos
    container_name: macos
    environment:
      VERSION: "14"        # Sonoma -- change to "15" for Sequoia
    devices:
      - /dev/kvm
      - /dev/net/tun
    cap_add:
      - NET_ADMIN
    ports:
      - 8006:8006
      - 5900:5900/tcp
      - 5900:5900/udp
    volumes:
      - ./macos:/storage
    restart: always
    stop_grace_period: 2m

Open http://localhost:8006. Unlike Windows, macOS requires a few manual steps to complete installation:

Choose Disk Utility → select the largest Apple Inc. VirtIO Block Media disk
Click Erase → format as APFS, give it any name
Close Disk Utility → click Reinstall macOS
When prompted, select the disk you just created
After files copy: set region/language, skip Migration Assistant, skip Apple ID (select “Set Up Later”)

VNC also available on port 5900 for a native remote desktop client.

Is this legal? Technically, Apple’s EULA only permits macOS to run on Apple hardware. Running it in a VM on non-Apple hardware is a gray area — fine for personal testing and CI/CD, not for production deployment or redistribution. The repo exists, it works, Apple has not acted against it. Use it for what it’s designed for: sandboxed testing.

Why it matters for AI agents: Manus My Computer and Perplexity Computer both run on macOS. If you want to test either in an isolated environment without risking your daily driver Mac, dockur/macos on a Linux server gives you a throwaway macOS instance in minutes.

GitHub: github.com/dockur/macos

The broader point

Every major AI lab is racing to give agents local machine access right now. Manus today. Perplexity Computer. OpenAI’s upcoming desktop agent. This is the direction everything is heading.

That makes sandboxing more important, not less. A Docker-based Windows VM costs you nothing, takes 10 minutes to set up, and means you can evaluate any of these tools without betting your actual filesystem on their reliability in v0.1.

dockur/windows is one of those repos that quietly solves a real problem. The timing for it just got a lot more relevant.

GitHub (Windows): github.com/dockur/windows
GitHub (macOS): github.com/dockur/macos

Also on the blog today: Manus vs Comet vs SoulSearch — the browser agent comparison