diff --git a/harmony/Cargo.toml b/harmony/Cargo.toml
index 99a827c7..6c6a0e9e 100644
--- a/harmony/Cargo.toml
+++ b/harmony/Cargo.toml
@@ -98,10 +98,16 @@ inquire.workspace = true
 brocade = { path = "../brocade" }
 option-ext = "0.2.0"
 rand.workspace = true
-virt = { version = "0.4.3", optional = true }
 podman-api = { version = "0.9", optional = true }
 sysinfo = "0.30"
 
+# virt (libvirt bindings) uses std::os::unix and only compiles on Unix targets.
+# Declaring it here (not in [dependencies]) prevents Cargo from trying to
+# compile it when cross-compiling to Windows, even if a workspace member
+# requests the `kvm` feature.
+[target.'cfg(unix)'.dependencies]
+virt = { version = "0.4.3", optional = true }
+
 [dev-dependencies]
 pretty_assertions.workspace = true
 assertor.workspace = true
diff --git a/harmony/src/modules/fleet/assets.rs b/harmony/src/modules/fleet/assets.rs
index ec362669..a458ebac 100644
--- a/harmony/src/modules/fleet/assets.rs
+++ b/harmony/src/modules/fleet/assets.rs
@@ -159,6 +159,7 @@ async fn ensure_cloud_image_unverified(
 
     info!("downloading cloud image {url} → {target:?} (one-time, sha not pinned)");
     download_to(url, &target).await?;
+    #[cfg(unix)]
     tokio::fs::set_permissions(&target, std::os::unix::fs::PermissionsExt::from_mode(0o644))
         .await
         .map_err(|e| exec(format!("chmod image: {e}")))?;
@@ -208,6 +209,7 @@ async fn ensure_cloud_image(
         )));
     }
     // World-readable so libvirt-qemu can open it without a chmod ritual.
+    #[cfg(unix)]
     tokio::fs::set_permissions(&target, std::os::unix::fs::PermissionsExt::from_mode(0o644))
         .await
         .map_err(|e| exec(format!("chmod image: {e}")))?;
@@ -300,6 +302,7 @@ async fn provision_ssh_keypair() -> Result<FleetSshKeypair, ExecutorError> {
     tokio::fs::create_dir_all(&dir)
         .await
         .map_err(|e| exec(format!("create ssh dir {dir:?}: {e}")))?;
+    #[cfg(unix)]
     tokio::fs::set_permissions(&dir, std::os::unix::fs::PermissionsExt::from_mode(0o700))
         .await
         .map_err(|e| exec(format!("chmod ssh dir: {e}")))?;
@@ -368,6 +371,7 @@ async fn make_world_traversable(dir: &Path) -> Result<(), ExecutorError> {
     // We only adjust the terminal dir here; parents are assumed to be
     // world-traversable already (true by default on every distro's
     // data-dir layout: `~/.local/share` is 755 on user create).
+    #[cfg(unix)]
     tokio::fs::set_permissions(dir, std::os::unix::fs::PermissionsExt::from_mode(0o755))
         .await
         .map_err(|e| exec(format!("chmod {dir:?}: {e}")))?;
diff --git a/harmony/src/modules/fleet/mod.rs b/harmony/src/modules/fleet/mod.rs
index 46aefc60..e7c830b2 100644
--- a/harmony/src/modules/fleet/mod.rs
+++ b/harmony/src/modules/fleet/mod.rs
@@ -19,12 +19,12 @@
 //! KVM VMs, etc.
 
 pub mod assets;
-#[cfg(feature = "kvm")]
+#[cfg(all(feature = "kvm", unix))]
 pub mod libvirt_pool;
 pub mod operator;
 pub mod preflight;
 mod setup_score;
-#[cfg(feature = "kvm")]
+#[cfg(all(feature = "kvm", unix))]
 mod vm_score;
 
 pub use assets::{
@@ -34,7 +34,7 @@ pub use assets::{
     UBUNTU_2404_CLOUDIMG_URL, ensure_debian_trixie_arm64_cloud_image, ensure_fleet_ssh_keypair,
     ensure_ubuntu_2404_cloud_image, ensure_ubuntu_2404_cloud_image_for_arch, read_public_key,
 };
-#[cfg(feature = "kvm")]
+#[cfg(all(feature = "kvm", unix))]
 pub use libvirt_pool::{HARMONY_FLEET_POOL_NAME, HarmonyFleetPool, ensure_harmony_fleet_pool};
 // `FleetOperatorScore` and `FleetServerScore` moved to
 // `harmony-fleet-deploy` per ADR-023 — see that crate for the
@@ -44,5 +44,5 @@ pub use setup_score::{
     AdminAuth, FleetDeviceAuth, FleetDeviceSetupConfig, FleetDeviceSetupScore, HostsEntry,
     merge_hosts_file,
 };
-#[cfg(feature = "kvm")]
+#[cfg(all(feature = "kvm", unix))]
 pub use vm_score::ProvisionVmScore;
diff --git a/harmony/src/modules/fleet/preflight.rs b/harmony/src/modules/fleet/preflight.rs
index 93b08f81..c544dbe5 100644
--- a/harmony/src/modules/fleet/preflight.rs
+++ b/harmony/src/modules/fleet/preflight.rs
@@ -15,7 +15,7 @@ use tokio::process::Command;
 
 use crate::domain::topology::VmArchitecture;
 use crate::executors::ExecutorError;
-#[cfg(feature = "kvm")]
+#[cfg(all(feature = "kvm", unix))]
 use crate::modules::kvm::firmware::discover_aarch64_firmware;
 
 /// Run every preflight check for an x86_64 smoke run — equivalent
@@ -49,7 +49,7 @@ pub async fn check_fleet_smoke_preflight_for_arch(
         // without `kvm` (e.g. the on-device agent) don't pull in
         // libvirt at all; for them, aarch64 preflight simply
         // stops after the qemu-system-aarch64 PATH check.
-        #[cfg(feature = "kvm")]
+        #[cfg(all(feature = "kvm", unix))]
         discover_aarch64_firmware()?;
     }
     Ok(())
diff --git a/harmony/src/modules/mod.rs b/harmony/src/modules/mod.rs
index 0d639af4..545997de 100644
--- a/harmony/src/modules/mod.rs
+++ b/harmony/src/modules/mod.rs
@@ -11,7 +11,7 @@ pub mod http;
 pub mod inventory;
 pub mod k3d;
 pub mod k8s;
-#[cfg(feature = "kvm")]
+#[cfg(all(feature = "kvm", unix))]
 pub mod kvm;
 pub mod lamp;
 pub mod linux;
diff --git a/harmony/src/modules/podman/mod.rs b/harmony/src/modules/podman/mod.rs
index f193d9d8..052faef6 100644
--- a/harmony/src/modules/podman/mod.rs
+++ b/harmony/src/modules/podman/mod.rs
@@ -1,8 +1,10 @@
 mod interpret;
 mod score;
+#[cfg(unix)]
 mod topology;
 
 pub use crate::topology::EnvVar;
 pub use interpret::PodmanV0Interpret;
 pub use score::{PodmanService, PodmanV0Score, ReconcileScore};
+#[cfg(unix)]
 pub use topology::PodmanTopology;