This document describes how to manage the guest agent service and configure its features by editing its configuration file.
The guest agent is a critical component of the guest environment. The guest environment contains scripts, daemons, and binaries that instances need to run on Compute Engine. For more information about the guest environment, see Guest environment. While the guest agent works by default with default settings on Google-provided OS images, you might want to customize its behavior. For more information about guest agent core functions, see Guest agent functionality.
Restart the guest agent
The guest agent runs as a daemon on both Linux and Windows operating systems. On
Linux, the guest agent launches as a systemd service, and on Windows, it is a
system service.
The restart steps vary between Linux and Windows operating systems as follows:
Linux
To restart on Linux, choose one of the following options:
- For guest agent version - 20250901.00or later, run the following command:- ggactl_plugin coreplugin restart 
- For previous guest agent versions, run the following command: - systemctl restart google-guest-agent 
Windows
To restart on Windows, choose one of the following options:
- For guest agent version - 20250901.00or later, run the following command:- ggactl_plugin coreplugin restart 
- For previous guest agent versions, use the following PowerShell commands: - To stop the guest agent: - Stop-Service GCEAgent 
- To start the guest agent: - Start-Service GCEAgent 
 - Alternatively, to restart the guest agent: - Restart-Service GCEAgent 
For all guest agent versions, you can also use the Task Manager: find
the GCEGuestAgent service, and then restart it.
Update the guest agent configuration file
You can customize the guest agent's behavior by editing its configuration file,
instance_configs.cfg. This file lets you enable or disable features and
set default values for operations.
To edit the instance_configs.cfg file on Linux and Windows operating systems,
review the following sections.
Linux
To edit the configuration file on a Linux VM, do the following:
- Create or edit the configuration file located at - /etc/default/instance_configs.cfgand set the required option. For a list of options, see Configuration options.- For example, to customize how new users are created and specify which SSH host key types to generate, create or update the file with the following content: - [Accounts] useradd_cmd = useradd -m -G google-sudoers [InstanceSetup] host_key_types = ecdsa,ed25519 - Note: Linux distributions might provide their own default settings in - /etc/default/instance_configs.cfg.distro. The agent reads these settings first, but any settings you define in- /etc/default/instance_configs.cfgoverride the distribution defaults. This ensures that your custom configurations are not lost during package updates.
- After you modify the configuration file, restart the guest agent for the changes to take effect. 
Windows
On Windows VMs, the configuration file is located at
C:\Program Files\Google\Compute Engine\instance_configs.cfg. For details about
configuring the agent on Windows, see
Enabling and disabling Windows instance features.
Configuration options
The following tables list the available configuration options for the
instance_configs.cfg file.
Accounts
Use the options in the Accounts section of the instance_configs.cfg file to
control user and group management by the guest agent.
| Option | Description | Operating system | Default value | 
|---|---|---|---|
| deprovision_remove | If set to true, when a user account is removed, the
      user's home directory is also deleted. By default, only the user account
      is removed, and the directory remains intact. | Linux | false | 
| groups | A comma-separated list of groups for new users. | Linux | Empty | 
| useradd_cmd | Sets the command that the guest agent runs when creating a new user. For example,
       to create a user's home directory and add them to the google-sudoersgroup, set the value touseradd -m -G google-sudoers. | Linux | System default | 
| userdel_cmd | Sets the command that the guest agent runs when deleting a user.
      For example, to remove the user's home directory and files, set the
       value to userdel -r. | Linux | System default | 
| usermod_cmd | Sets the command that the guest agent runs when modifying a user's groups. | Linux | System default | 
| gpasswd_add_cmd | Sets the command that the guest agent runs when adding a user to a group. | Linux | System default | 
| gpasswd_remove_cmd | Sets the command that the guest agent runs when removing a user from a group. | Linux | System default | 
| groupadd_cmd | Sets the command that the guest agent runs when creating a new group. | Linux | System default | 
Core
Use the options in the Core section of the instance_configs.cfg file to
control core functionalities of the guest agent.
| Option | Description | Operating system | Default value | 
|---|---|---|---|
| cloud_logging_enabled | If set to false, the guest agent doesn't send
       activity logs to Cloud Logging. | Linux and Windows | true | 
| log_level | Sets the logging level for guest agent logs. This setting applies to
      all logs generated by the guest agent, not just Cloud Logging. The
    settings and levels are as follows: 
 | Linux and Windows | 3 | 
| log_verbosity | Sets the logging verbosity level for DEBUGlogs.
      Acceptable values are from0to4.
      The higher the value the more verbose the response. | Linux and Windows | 0 | 
Daemons
Use the options in the Daemons section of the instance_configs.cfg file to
enable or disable specific background daemons managed by the guest agent.
| Option | Description | Operating system | Default value | 
|---|---|---|---|
| accounts_daemon | If set to false, the guest agent disables User account and SSH key management. | Linux | true | 
| clock_skew_daemon | If set to false, the guest agent disables Clock synchronization. | Linux | true | 
| network_daemon | If set to false, the guest agent disables Network management. | Linux | true | 
Instance setup
Use the options in the InstanceSetup section of the instance_configs.cfg file
to control various tasks performed by the guest agent during the initial
instance setup.
| Option | Description | Operating system | Default value | 
|---|---|---|---|
| host_key_types | A comma-separated list of host key types to generate. | Linux | ecdsa,ed25519,rsa | 
| optimize_local_ssd | If set to false, the guest doesn't optimize Local SSD on startup. | Linux | true | 
| network_enabled | If set to false, the guest agent skips instance setup
      functions that require metadata information. Setting this option to false
      also disables host key generation and prevents the guest agent from
      configuring thebotoconfig file. | Linux and Windows | true | 
| set_boto_config | If set to false, the guest agent doesn't create or update
      thebotoconfiguration file. Applications that use the
      Boto library and rely on the default guest agent configuration for
      Cloud Storage access might not function as expected without manualbotoconfiguration. | Linux and Windows | true | 
| set_host_keys | If set to false, the guest agent skips generating host keys on firstboot. | Linux | true | 
| set_multiqueue | If set to false, the guest agent doesn't attempt to
      optimize network performance by enabling multiqueue features for the
      network drivers. Whentrue, the agent configures the system
      to use multiple queues for network traffic, potentially improving
      throughput and reducing latency. | Linux | true | 
IP forwarding
Use the options in the IpForwarding section of the instance_configs.cfg file
to configure how the guest agent manages IP forwarding and routing.
| Option | Description | Operating system | Default value | 
|---|---|---|---|
| ethernet_proto_id | The protocol ID string for daemon-added routes. | Linux | 66 | 
| ip_aliases | If set to false, the guest agent doesn't set up alias IP routes. | Linux | true | 
| target_instance_ips | If set to false, the guest agent doesn't enable internal IP address load balancing. | Linux | true | 
Metadata script execution
Use the options in the MetadataScripts section of the instance_configs.cfg
file to control the execution of metadata scripts, such as startup and shutdown
scripts.
| Option | Description | Operating system | Default value | 
|---|---|---|---|
| default_shell | The default shell to execute scripts. | Linux | /bin/bash | 
| run_dir | The base directory for metadata script execution. | Linux | /var/run/google-startup-scripts | 
| startup | If set to false, the guest agent doesn't run startup
      scripts from metadata. | Linux and Windows | true | 
| shutdown | If set to false, the guest agent doesn't run
      shutdown scripts from metadata. | Linux and Windows | true | 
Network interfaces
Use the options in the NetworkInterfaces section of the instance_configs.cfg
file to control how the guest agent manages network interfaces on the VM.
| Option | Description | Operating system | Default value | 
|---|---|---|---|
| setup | If set to false, the guest agent skips network interface setup. | Linux | true | 
| ip_forwarding | If set to false, the guest agent skips IP forwarding. | Linux | true | 
| manage_primary_nic | If set to true, the guest agent manages the primary and secondary NICs. | Linux | false | 
| dhcp_command | The path to an alternate DHCP executable for enabling network interfaces. | Linux | Empty | 
| restore_debian12_netplan_config | If set to true, the guest agent recreates the Debian 12 default
       netplan configuration that is located at/etc/netplan/90-default.yaml. | Linux (Debian 12) | true | 
OS Login
Use the options in the OSLogin section of the instance_configs.cfg
file to configure the guest agent's integration with OS Login.
| Option | Description | Operating system | Default value | 
|---|---|---|---|
| cert_authentication | If set to false, the guest agent doesn't
      configure sshd'sTrustedUserCAKeys,AuthorizedPrincipalsCommand, andAuthorizedPrincipalsCommandUserkeys. | Linux | true | 
What's next
- View the serial port output to check the guest agent logs and troubleshoot issues.