Stay organized with collections
Save and categorize content based on your preferences.
This document describes the patch summary information on the Patch dashboard
of the Google Cloud console. From this dashboard, you can do
the following:
View the patch summary information for your VMs in a project, organization,
or folders.
If you haven't already, set up authentication.
Authentication verifies your identity for access to Google Cloud services and APIs. To run
code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and
APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI.
After installation,
initialize the Google Cloud CLI by running the following command:
To get the permissions that
you need to view patch summary,
ask your administrator to grant you the
following IAM roles:
View patch summary for VMs in an organization or folder:
OS Config Upgrade Report Viewer (roles/osconfig.upgradeReportViewer)
on the organization or folder
These predefined roles contain
the permissions required to view patch summary. To see the exact permissions that are
required, expand the Required permissions section:
Required permissions
The following permissions are required to view patch summary:
View patch summary for VMs in an organization or folder:
osconfig.upgradeReports.getSummary
resourcemanager.projects.get
resourcemanager.projects.list
View patch summary for VMs in a project (Projects tab):
Review patch summary information in the Patch summary table.
The table includes a row for each project as shown in the following figure:
The Patch summary table lists the following information that meets the
criteria you've specified in the query builder:
Project: The name of projects in the organization that contain at least
one VM and have VM Manager enabled.
Clicking on the project name opens the VM instances tab that lists
the patch status of individual VMs in the project.
Total VMs: Total number of VMs in each project.
Monitored VMs: Number of VMs in the project that have VM Manager agent
enabled and are being scanned for patches.
Critical: Number of VMs with at least one CRITICAL patch available.
Important: Number of VMs with one or more IMPORTANT patches available.
Other: Number of VMs for which there are patches available with a
severity rating below CRITICAL or IMPORTANT.
Up to date: Number of VMs without any available patches.
No data: Number of VMs with no patch data available. Either VM Manager
is not enabled for these VMs, or their operation system is not supported.
Optional: Apply table filters if you want to view specific rows in the
Patch summary table:
For example, if you want to see patch summary for projects that have more
than 10 VMs, then set the filter option Total VMs to >= 10.
Use query builder to filter the patch summary information
Based on the criteria that you specify using the query builder, VM Manager
computes and displays the patch summary for VMs in the
projects in your organization or folder. You can then use the table filters
in the Patch summary table to filter the displayed data.
For example, when you set the OS attribute in the query builder as Debian,
VM Manager displays patch information for all VMs with Debian OS.
If you want to view the patch summary for VMs in a specific project,
use the filter to specify the project ID.
To set a query in the query builder, do the following:
Select an Attribute. The query builder supports the following attributes:
OS: Specify the short names of the operating systems such as Windows
or Debian.
OS version: Specify the version of the operating system. For example, 21.04 or
10.0.22000. You can specify a single asterisk (*) at the end of the OS
version string to denote partial match, for example 10*.
VM running: Specify whether you want to view patch summary for VMs
that are in the RUNNING state.
CVE ID: The identifier of the CVE that is fixed by a particular patch,
in the CVE-2023-12345 format. If this attribute is set, only those patches that
are related to the given CVE ID are considered to compute the patch summary information.
Patch available: Set this attribute to true to compute patch summary
information only for those VMs with at least one patch available.
Patch severity: Specify the severity of patches applicable to the VMs.
Choose one of the attributes and specify a value for the attribute.
For example, if you want to see patch summary for VMs with a specific operating
system, then select OS. You then get a list of comparison
operators to choose from.
Select an Operator, for example, ==.
In the Value field, specify the comparison value. For example Debian.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThe Patch dashboard in the Google Cloud console allows you to view patch summary information for virtual machines (VMs) across projects, organizations, or folders.\u003c/p\u003e\n"],["\u003cp\u003eYou can review the status of patch jobs and scheduled patch deployments from the Patch dashboard.\u003c/p\u003e\n"],["\u003cp\u003eTo view patch summaries, you must have the appropriate IAM roles, such as "OS Config Upgrade Report Viewer" for organizations/folders or "OS Config Vulnerability Report Viewer" for projects.\u003c/p\u003e\n"],["\u003cp\u003eThe patch summary table provides details such as the total number of VMs, monitored VMs, and the number of VMs with critical, important, or other patches available, as well as up to date and no data.\u003c/p\u003e\n"],["\u003cp\u003eUsing the query builder, you can filter the patch summary data by attributes like OS, OS version, VM running status, CVE ID, patch availability, and patch severity.\u003c/p\u003e\n"]]],[],null,["This document describes the patch summary information on the **Patch** dashboard\nof the Google Cloud console. From this dashboard, you can do\nthe following:\n\n- View the patch summary information for your VMs in a project, organization, or folders.\n- View the status of patch jobs in your project.\n- View the status of scheduled patch deployments.\n\nBefore you begin\n\n- Review [OS Config quotas](/compute/vm-manager/docs/os-config-quotas).\n- If you haven't already, set up [authentication](/compute/docs/authentication). Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:\n\n Select the tab for how you plan to use the samples on this page: \n\n Console\n\n\n When you use the Google Cloud console to access Google Cloud services and\n APIs, you don't need to set up authentication.\n\n gcloud\n 1.\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n After installation,\n [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command:\n\n ```bash\n gcloud init\n ```\n\n\n If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n 2. [Set a default region and zone](/compute/docs/gcloud-compute#set_default_zone_and_region_in_your_local_client).\n\n REST\n\n\n To use the REST API samples on this page in a local development environment, you use the\n credentials you provide to the gcloud CLI.\n 1. [Install](/sdk/docs/install) the Google Cloud CLI. After installation, [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command: \n\n ```bash\n gcloud init\n ```\n 2. If you're using an external identity provider (IdP), you must first [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n\n For more information, see\n [Authenticate for using REST](/docs/authentication/rest)\n in the Google Cloud authentication documentation.\n\nRequired roles and permissions\n\n\nTo get the permissions that\nyou need to view patch summary,\n\nask your administrator to grant you the\nfollowing IAM roles:\n\n- View patch summary for VMs in an organization or folder: [OS Config Upgrade Report Viewer](/iam/docs/roles-permissions/osconfig#osconfig.upgradeReportViewer) (`roles/osconfig.upgradeReportViewer`) on the organization or folder\n- View patch summary for VMs in a project: [OS Config Vulnerability Report Viewer](/iam/docs/roles-permissions/osconfig#osconfig.vulnerabilityReportViewer) (`roles/osconfig.vulnerabilityReportViewer`) on the project\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nThese predefined roles contain\n\nthe permissions required to view patch summary. To see the exact permissions that are\nrequired, expand the **Required permissions** section:\n\n\nRequired permissions\n\nThe following permissions are required to view patch summary:\n\n- View patch summary for VMs in an organization or folder:\n - `osconfig.upgradeReports.getSummary `\n - `resourcemanager.projects.get `\n - `resourcemanager.projects.list`\n- View patch summary for VMs in a project (Projects tab):\n - `osconfig.upgradeReports.searchSummaries `\n - `resourcemanager.projects.get `\n - `resourcemanager.projects.list`\n\n\nYou might also be able to get\nthese permissions\nwith [custom roles](/iam/docs/creating-custom-roles) or\nother [predefined roles](/iam/docs/roles-overview#predefined).\n\nView patch summary for VMs in an organization or folder\n\nYou can set the view scope to an organization or folder and view the patch\nsummary for VMs in all projects in that organization or folder.\n\nOnly those projects in your organization or folder that meet one of the following\nrequirements are listed in the Patch summary table:\n\n- Contains one or more VMs on which VM Manager is enabled and running.\n- Contains one or more VMs on which VM Manager was running in the past 7 days and patch data is available.\n\nTo view patch summary for VMs in an organization or folder, do the following:\n\n1. In the Google Cloud console, go to the **Compute Engine** \\\u003e **VM Manager** \\\u003e **Patch** page.\n\n [Go to the Patch page](https://console.cloud.google.com/compute/patch)\n2. In the project drop-down list on the Google Cloud console, select the organization or folder for which you want to see the patch summary information.\n3. Click **Projects** tab.\n4. Optional: Specify the criteria for patch summary computation by [using the\n query builder](#query-builder).\n5. Review patch summary information in the **Patch summary table**.\n The table includes a row for each project as shown in the following figure:\n\n [](/static/compute/images/manage-os/patch-summary.png)\n\n The Patch summary table lists the following information that meets the\n criteria you've specified in the query builder:\n - **Project**: The name of projects in the organization that contain at least\n one VM and have VM Manager enabled.\n\n Clicking on the project name opens the **VM instances** tab that lists\n the patch status of individual VMs in the project.\n - **Total VMs**: Total number of VMs in each project.\n\n - **Monitored VMs**: Number of VMs in the project that have VM Manager agent\n enabled and are being scanned for patches.\n\n - **Critical** : Number of VMs with at least one `CRITICAL` patch available.\n\n - **Important** : Number of VMs with one or more `IMPORTANT` patches available.\n\n - **Other** : Number of VMs for which there are patches available with a\n severity rating below `CRITICAL` or `IMPORTANT`.\n\n - **Up to date**: Number of VMs without any available patches.\n\n - **No data**: Number of VMs with no patch data available. Either VM Manager\n is not enabled for these VMs, or their operation system is not supported.\n\n6. Optional: Apply table filters if you want to view specific rows in the\n Patch summary table:\n\n \u003cbr /\u003e\n\n [](/static/compute/images/manage-os/table-filter.png)\n\n \u003cbr /\u003e\n\n For example, if you want to see patch summary for projects that have more\n than 10 VMs, then set the filter option **Total VMs** to `\u003e= 10`.\n\nUse query builder to filter the patch summary information\n\nBased on the criteria that you specify using the query builder, VM Manager\ncomputes and displays the patch summary for VMs in the\nprojects in your organization or folder. You can then use the table filters\nin the Patch summary table to filter the displayed data.\n\nFor example, when you set the `OS` attribute in the query builder as `Debian`,\nVM Manager displays patch information for all VMs with Debian OS.\nIf you want to view the patch summary for VMs in a specific project,\nuse the filter to specify the project ID.\n\n\u003cbr /\u003e\n\n[](/static/compute/images/manage-os/query-builder.png)\n\n\u003cbr /\u003e\n\nTo set a query in the query builder, do the following:\n\n1. Select an **Attribute**. The query builder supports the following attributes:\n\n - **OS** : Specify the short names of the operating systems such as `Windows` or `Debian`.\n - **OS version** : Specify the version of the operating system. For example, `21.04` or `10.0.22000`. You can specify a single asterisk (`*`) at the end of the OS version string to denote partial match, for example `10*`.\n - **VM running** : Specify whether you want to view patch summary for VMs that are in the `RUNNING` state.\n - **CVE ID** : The identifier of the CVE that is fixed by a particular patch, in the `CVE-2023-12345` format. If this attribute is set, only those patches that are related to the given CVE ID are considered to compute the patch summary information.\n - **Patch available** : Set this attribute to `true` to compute patch summary information only for those VMs with at least one patch available.\n - **Patch severity**: Specify the severity of patches applicable to the VMs.\n2. Choose one of the attributes and specify a value for the attribute.\n For example, if you want to see patch summary for VMs with a specific operating\n system, then select **OS**. You then get a list of comparison\n operators to choose from.\n\n 1. Select an **Operator** , for example, `==`.\n 2. In the **Value** field, specify the comparison value. For example `Debian`.\n3. To add another attribute, click **Add condition**.\n\n4. Click **Search**.\n\n| **Note:** VM Manager applies the query only to VMs on which VM Manager is enabled.\n\nWhat's next?\n\n- [Create a patch job](/compute/vm-manager/docs/patch/create-patch-job).\n- [Manage patch jobs](/compute/vm-manager/docs/patch/manage-patch-jobs).\n- [Schedule patch jobs](/compute/vm-manager/docs/patch/schedule-patch-jobs)."]]
