diff --git a/.github/workflows/generate_api_index.yaml b/.github/workflows/generate_api_index.yaml
deleted file mode 100644
index cce14cf66..000000000
--- a/.github/workflows/generate_api_index.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-name: Generate API Index
-on:
-  push:
-    branches: [master]
-  workflow_dispatch:
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Setup .NET Core SDK
-        uses: actions/setup-dotnet@v1.8.0
-      - name: Checkout googleapis (this repository)
-        uses: actions/checkout@v2
-      - name: Checkout index generator
-        uses: actions/checkout@v2
-        with:
-          repository: googleapis/googleapis-api-index-generator
-          path: gen
-      - name: Generate API index
-        run: |
-          gen/scripts/generate-schema.sh
-          gen/scripts/generate-index.sh $PWD
-          cp gen/tmp/api-index-v1.json $PWD
-      - name: Commit API index
-        run: |
-          [[ ! $(git diff --exit-code api-index-v1.json) ]] && echo "Nothing to commit." && exit 0
-          git config user.name "Google APIs"
-          git add api-index-v1.json
-          git commit -m "chore: regenerate API index"
-          git push
diff --git a/google/cloud/osconfig/agentendpoint/v1/agentendpoint.proto b/google/cloud/osconfig/agentendpoint/v1/agentendpoint.proto
index 6cf3ad0b0..721d0bdcc 100644
--- a/google/cloud/osconfig/agentendpoint/v1/agentendpoint.proto
+++ b/google/cloud/osconfig/agentendpoint/v1/agentendpoint.proto
@@ -31,7 +31,8 @@ service AgentEndpointService {
   option (google.api.default_host) = "osconfig.googleapis.com";
 
   // Stream established by client to receive Task notifications.
-  rpc ReceiveTaskNotification(ReceiveTaskNotificationRequest) returns (stream ReceiveTaskNotificationResponse) {
+  rpc ReceiveTaskNotification(ReceiveTaskNotificationRequest)
+      returns (stream ReceiveTaskNotificationResponse) {
     option (google.api.method_signature) = "instance_id_token,agent_version";
   }
 
@@ -41,24 +42,31 @@ service AgentEndpointService {
   }
 
   // Signals an intermediary progress checkpoint in task execution.
-  rpc ReportTaskProgress(ReportTaskProgressRequest) returns (ReportTaskProgressResponse) {
-    option (google.api.method_signature) = "instance_id_token,task_id,task_type";
+  rpc ReportTaskProgress(ReportTaskProgressRequest)
+      returns (ReportTaskProgressResponse) {
+    option (google.api.method_signature) =
+        "instance_id_token,task_id,task_type";
   }
 
   // Signals that the task execution is complete and optionally returns the next
   // task.
-  rpc ReportTaskComplete(ReportTaskCompleteRequest) returns (ReportTaskCompleteResponse) {
-    option (google.api.method_signature) = "instance_id_token,task_id,task_type,error_message";
+  rpc ReportTaskComplete(ReportTaskCompleteRequest)
+      returns (ReportTaskCompleteResponse) {
+    option (google.api.method_signature) =
+        "instance_id_token,task_id,task_type,error_message";
   }
 
   // Registers the agent running on the VM.
   rpc RegisterAgent(RegisterAgentRequest) returns (RegisterAgentResponse) {
-    option (google.api.method_signature) = "instance_id_token,agent_version,supported_capabilities";
+    option (google.api.method_signature) =
+        "instance_id_token,agent_version,supported_capabilities";
   }
 
   // Reports the VMs current inventory.
-  rpc ReportInventory(ReportInventoryRequest) returns (ReportInventoryResponse) {
-    option (google.api.method_signature) = "instance_id_token,inventory_checksum,inventory";
+  rpc ReportInventory(ReportInventoryRequest)
+      returns (ReportInventoryResponse) {
+    option (google.api.method_signature) =
+        "instance_id_token,inventory_checksum,inventory";
   }
 }
 
@@ -75,9 +83,7 @@ message ReceiveTaskNotificationRequest {
 
 // The streaming rpc message that will notify the agent when it has a task
 // it needs to perform on the instance.
-message ReceiveTaskNotificationResponse {
-
-}
+message ReceiveTaskNotificationResponse {}
 
 // A request message for signaling the start of a task execution.
 message StartNextTaskRequest {
@@ -110,6 +116,7 @@ message ReportTaskProgressRequest {
   // specified below:
   // APPLY_PATCHES = ApplyPatchesTaskProgress
   // EXEC_STEP = Progress not supported for this type.
+  // APPLY_CONFIG_TASK = ApplyConfigTaskProgress
   TaskType task_type = 3 [(google.api.field_behavior) = REQUIRED];
 
   // Intermediate progress of the current task.
@@ -147,6 +154,7 @@ message ReportTaskCompleteRequest {
   // specified below:
   // APPLY_PATCHES = ApplyPatchesTaskOutput
   // EXEC_STEP = ExecStepTaskOutput
+  // APPLY_CONFIG_TASK = ApplyConfigTaskOutput
   TaskType task_type = 3 [(google.api.field_behavior) = REQUIRED];
 
   // Descriptive error message if the task execution ended in error.
@@ -166,9 +174,7 @@ message ReportTaskCompleteRequest {
 }
 
 // The response message after the agent signaled the current task complete.
-message ReportTaskCompleteResponse {
-
-}
+message ReportTaskCompleteResponse {}
 
 // The request message for registering the agent.
 message RegisterAgentRequest {
@@ -183,13 +189,13 @@ message RegisterAgentRequest {
   // Required. The capabilities supported by the agent. Supported values are:
   // PATCH_GA
   // GUEST_POLICY_BETA
-  repeated string supported_capabilities = 3 [(google.api.field_behavior) = REQUIRED];
+  // CONFIG_V1
+  repeated string supported_capabilities = 3
+      [(google.api.field_behavior) = REQUIRED];
 }
 
 // The response message after the agent registered.
-message RegisterAgentResponse {
-
-}
+message RegisterAgentResponse {}
 
 // The request message for having the agent report inventory.
 message ReportInventoryRequest {
@@ -198,13 +204,13 @@ message ReportInventoryRequest {
   // where the audience is 'osconfig.googleapis.com' and the format is 'full'.
   string instance_id_token = 1 [(google.api.field_behavior) = REQUIRED];
 
-  // Required. This is a client created checksum that should be generated based on the
-  // contents of the reported inventory.  This will be used by the service to
-  // determine if it has the latest version of inventory.
+  // Required. This is a client created checksum that should be generated based
+  // on the contents of the reported inventory.  This will be used by the
+  // service to determine if it has the latest version of inventory.
   string inventory_checksum = 2 [(google.api.field_behavior) = REQUIRED];
 
-  // Optional. This is the details of the inventory.  Should only be provided if the
-  // inventory has changed since the last report, or if instructed by the
+  // Optional. This is the details of the inventory.  Should only be provided if
+  // the inventory has changed since the last report, or if instructed by the
   // service to provide full inventory.
   Inventory inventory = 3 [(google.api.field_behavior) = OPTIONAL];
 }
diff --git a/google/cloud/osconfig/agentendpoint/v1/config_common.proto b/google/cloud/osconfig/agentendpoint/v1/config_common.proto
index 3994cf4b7..576292fe3 100644
--- a/google/cloud/osconfig/agentendpoint/v1/config_common.proto
+++ b/google/cloud/osconfig/agentendpoint/v1/config_common.proto
@@ -65,10 +65,21 @@ message OSPolicyResourceConfigStep {
 
   // Outcome of the configuration step.
   Outcome outcome = 2;
+
+  // An error message recorded during the execution of this step.
+  // Only populated when outcome is FAILED.
+  string error_message = 3;
 }
 
 // Compliance data for an OS policy resource.
 message OSPolicyResourceCompliance {
+  // ExecResource specific output.
+  message ExecResourceOutput {
+    // Output from Enforcement phase output file (if run).
+    // Output size is limited to 100K bytes.
+    bytes enforcement_output = 2;
+  }
+
   // The id of the OS policy resource.
   string os_policy_resource_id = 1;
 
@@ -78,6 +89,12 @@ message OSPolicyResourceCompliance {
 
   // Compliance state of the OS policy resource.
   OSPolicyComplianceState state = 3;
+
+  // Resource specific output.
+  oneof output {
+    // ExecResource specific output.
+    ExecResourceOutput exec_resource_output = 4;
+  }
 }
 
 // Supported OSPolicy compliance states.
diff --git a/google/cloud/osconfig/agentendpoint/v1/os_policy.proto b/google/cloud/osconfig/agentendpoint/v1/os_policy.proto
index 92740c3f9..0d6e4e11a 100644
--- a/google/cloud/osconfig/agentendpoint/v1/os_policy.proto
+++ b/google/cloud/osconfig/agentendpoint/v1/os_policy.proto
@@ -36,8 +36,8 @@ message OSPolicy {
     message File {
       // Specifies a file available via some URI.
       message Remote {
-        // Required. URI from which to fetch the object. It should contain both the
-        // protocol and path following the format `{protocol}://{location}`.
+        // Required. URI from which to fetch the object. It should contain both
+        // the protocol and path following the format `{protocol}://{location}`.
         string uri = 1 [(google.api.field_behavior) = REQUIRED];
 
         // SHA256 checksum of the remote file.
@@ -159,8 +159,8 @@ message OSPolicy {
         REMOVED = 2;
       }
 
-      // Required. The desired state the agent should maintain for this package. The
-      // default is to ensure the package is installed.
+      // Required. The desired state the agent should maintain for this package.
+      // The default is to ensure the package is installed.
       DesiredState desired_state = 1 [(google.api.field_behavior) = REQUIRED];
 
       // A system package.
@@ -206,8 +206,8 @@ message OSPolicy {
           DEB_SRC = 2;
         }
 
-        // Required. Type of archive files in this repository. The default behavior is
-        // DEB.
+        // Required. Type of archive files in this repository. The default
+        // behavior is DEB.
         ArchiveType archive_type = 1 [(google.api.field_behavior) = REQUIRED];
 
         // Required. URI for this repository.
@@ -216,8 +216,8 @@ message OSPolicy {
         // Required. Distribution of this repository.
         string distribution = 3 [(google.api.field_behavior) = REQUIRED];
 
-        // Required. List of components for this repository. Must contain at least one
-        // item.
+        // Required. List of components for this repository. Must contain at
+        // least one item.
         repeated string components = 4 [(google.api.field_behavior) = REQUIRED];
 
         // URI of the key file for this repository. The agent maintains a
@@ -229,8 +229,8 @@ message OSPolicy {
       // repo file that is managed at
       // `/etc/yum.repos.d/google_osconfig.repo`.
       message YumRepository {
-        // Required. A one word, unique name for this repository. This is  the `repo
-        // id` in the yum config file and also the `display_name` if
+        // Required. A one word, unique name for this repository. This is  the
+        // `repo id` in the yum config file and also the `display_name` if
         // `display_name` is omitted. This id is also used as the unique
         // identifier when checking for resource conflicts.
         string id = 1 [(google.api.field_behavior) = REQUIRED];
@@ -249,8 +249,8 @@ message OSPolicy {
       // repo file that is managed at
       // `/etc/zypp/repos.d/google_osconfig.repo`.
       message ZypperRepository {
-        // Required. A one word, unique name for this repository. This is the `repo
-        // id` in the zypper config file and also the `display_name` if
+        // Required. A one word, unique name for this repository. This is the
+        // `repo id` in the zypper config file and also the `display_name` if
         // `display_name` is omitted. This id is also used as the unique
         // identifier when checking for GuestPolicy conflicts.
         string id = 1 [(google.api.field_behavior) = REQUIRED];
@@ -330,12 +330,20 @@ message OSPolicy {
 
         // Required. The script interpreter to use.
         Interpreter interpreter = 4 [(google.api.field_behavior) = REQUIRED];
+
+        // Only recorded for enforce Exec.
+        // Path to an output file (that is created by this Exec) whose
+        // content will be recorded in OSPolicyResourceCompliance after a
+        // successful run. Absence or failure to read this file will result in
+        // this ExecResource being non-compliant. Output file size is limited to
+        // 100K bytes.
+        string output_file_path = 5;
       }
 
-      // Required. What to run to validate this resource is in the desired state.
-      // An exit code of 100 indicates "in desired state", and exit code of 101
-      // indicates "not in desired state". Any other exit code indicates a
-      // failure running validate.
+      // Required. What to run to validate this resource is in the desired
+      // state. An exit code of 100 indicates "in desired state", and exit code
+      // of 101 indicates "not in desired state". Any other exit code indicates
+      // a failure running validate.
       Exec validate = 1 [(google.api.field_behavior) = REQUIRED];
 
       // What to run to bring this resource into the desired state.
@@ -432,6 +440,4 @@ message OSPolicy {
     // their desired state, and if not, enforces the desired state.
     ENFORCEMENT = 2;
   }
-
-
 }
diff --git a/google/cloud/osconfig/agentendpoint/v1/osconfig_v1.yaml b/google/cloud/osconfig/agentendpoint/v1/osconfig_v1.yaml
index 2e1bd489c..c51caf297 100644
--- a/google/cloud/osconfig/agentendpoint/v1/osconfig_v1.yaml
+++ b/google/cloud/osconfig/agentendpoint/v1/osconfig_v1.yaml
@@ -17,3 +17,10 @@ backend:
     deadline: 30.0
   - selector: google.cloud.osconfig.agentendpoint.v1.AgentEndpointService.ReceiveTaskNotification
     deadline: 3600.0
+
+authentication:
+  rules:
+  - selector: 'google.longrunning.Operations.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform