How to Configure Ubuntu Unattended Upgrades in 2026: Complete Security Update Guide
Keeping your Ubuntu server secure requires regular security updates. However, manually installing patches can be time-consuming and error-prone. Ubuntu’s unattended-upgrades package automates security patch installation, ensuring your server stays protected without constant manual intervention.
In this comprehensive guide, we’ll walk you through configuring unattended-upgrades on Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and the upcoming Ubuntu 26.04 LTS in 2026. You’ll learn how to set up automatic security updates, avoid package contention issues, and implement best practices for production servers.
What Are Ubuntu Unattended Upgrades?
Unattended-upgrades is a native Ubuntu package that automatically downloads and installs security updates from the official Ubuntu repositories. It runs as a background service and can be configured to:
- Install security updates only
- Install all updates (including feature updates)
- Automatically reboot the server when required
- Send email notifications about update status
- Handle package conflicts gracefully
For Ubuntu servers in production, unattended-upgrades is considered a security best practice. It significantly reduces the window of vulnerability between a security patch being released and applied to your system.
Why Unattended Upgrades Matter in 2026
As of 2026, the threat landscape has evolved significantly. Automated patch management is no longer optional for production servers. Here’s why:
- Faster exploit cycles: Security vulnerabilities are weaponized within hours of disclosure
- Compliance requirements: Standards like PCI-DSS, HIPAA, and SOC 2 mandate timely patching
- Ubuntu LTS lifecycle: With Ubuntu 22.04, 24.04, and 26.04 LTS releases, maintaining consistent update policies is critical
- Supply chain security: Unpatched servers are prime targets for supply chain attacks
According to Canonical’s security bulletins, critical kernel vulnerabilities can emerge with less than 24 hours notice. Unattended-upgrades ensures your servers receive these patches automatically.
How to Install Unattended Upgrades on Ubuntu
Installing unattended-upgrades on Ubuntu is straightforward. Follow these steps on your Ubuntu server (works on 20.04, 22.04, 24.04, and future 26.04 LTS):
Step 1: Update Package Lists
First, update your APT package lists to ensure you’re installing the latest version:
Step 2: Install Unattended Upgrades
Install the unattended-upgrades package:
This installs the package and its dependencies. The service will not start automatically until configured.
Step 3: Enable Automatic Updates
Run the configuration wizard to enable automatic updates:
Select “Yes” when prompted to automatically download and install security updates. This creates the necessary configuration files in
1 | /etc/apt/apt.conf.d/ |
Configure Ubuntu Unattended Upgrades
The default configuration is conservative and suitable for most servers. However, you can customize unattended-upgrades behavior by editing two key configuration files:
Configuration File 1: /etc/apt/apt.conf.d/20auto-upgrades
This file controls when and how often unattended-upgrades runs:
Recommended configuration for production Ubuntu servers:
2
3
4
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Download-Upgradeable-Packages "1";
What these settings mean:
-
: Update package lists daily1Update-Package-Lists "1"
-
: Run unattended-upgrades daily1Unattended-Upgrade "1"
-
: Clean old .deb packages weekly1AutocleanInterval "7"
-
: Pre-download packages for faster installation1Download-Upgradeable-Packages "1"
Configuration File 2: /etc/apt/apt.conf.d/50unattended-upgrades
This file controls which packages to upgrade and advanced behavior:
Key sections to configure for Ubuntu servers in 2026:
Allow Security Updates Only (Recommended)
Ensure this section is uncommented to install security updates only:
2
3
4
"${distro_id}:${distro_codename}-security";
//"${distro_id}:${distro_codename}-updates";
};
This configuration installs security updates only. Leave the
1 | -updates |
Automatic Reboot Configuration
Some security updates require a reboot (kernel updates). Configure automatic reboots during maintenance windows:
2
3
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
Recommendations for 2026:
- Set
for dev/staging servers1Automatic-Reboot "true"
- Keep
for production (manual reboots during planned maintenance)1Automatic-Reboot "false"
- Set
to your maintenance window (e.g., “03:00”)1Automatic-Reboot-Time
- Consider Ubuntu Livepatch (see section below) to avoid kernel reboots
Email Notifications
Get notified when unattended-upgrades installs updates:
2
Unattended-Upgrade::MailReport "on-change";
Options for
1 | MailReport |
-
: Send email only when updates are installed1"on-change"
-
: Send email only when errors occur1"only-on-error"
-
: Send email after every run1"always"
Avoid Package Contention with Unattended Upgrades
One common issue with unattended-upgrades on Ubuntu 22.04 and newer is package contention. This happens when unattended-upgrades locks the APT database while you’re trying to run manual
1 | apt |
You’ll see errors like:
Solution: Define Clear Maintenance Windows
The best practice for production Ubuntu servers is to schedule unattended-upgrades runs during known maintenance windows:
- Document your update schedule: Example: “Unattended-upgrades runs daily at 03:00 UTC”
- Communicate to your team: Ensure all administrators know when automatic updates run
- Avoid manual apt during update windows: Don’t run
or1apt installbetween 03:00-04:00 UTC1apt upgrade
- Use systemd timers for custom scheduling: Override the default APT timer if needed
Check Unattended Upgrades Status
Check if unattended-upgrades is currently running:
Check the systemd timer status:
View recent unattended-upgrades activity:
Ubuntu Livepatch: Rebootless Kernel Updates in 2026
For production Ubuntu servers that can’t tolerate reboots, Ubuntu Livepatch provides rebootless kernel security updates. As of 2026, Livepatch supports:
- Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS, and Ubuntu Core 26
- AMD64 (x86_64) architecture
- ARM64 architecture (new in Ubuntu Core 26)
Livepatch integrates seamlessly with unattended-upgrades:
- Unattended-upgrades handles user-space security updates
- Livepatch handles kernel security updates without reboot
- Combined, they provide near-zero-downtime security patching
To enable Ubuntu Livepatch:
2
sudo ua enable livepatch
Ubuntu Pro (with Livepatch) is free for up to 5 machines in 2026. For enterprise deployments, Ubuntu Pro subscriptions are available.
Verify Unattended Upgrades Are Working
After configuring unattended-upgrades, verify it’s working correctly:
Test 1: Perform a Dry Run
Simulate an unattended-upgrades run without installing packages:
This shows which packages would be upgraded without actually installing them.
Test 2: Check Logs
Review the unattended-upgrades log file:
Look for entries like:
Test 3: Manually Trigger an Update
Force an immediate unattended-upgrades run:
This immediately runs the update process and exits.
Unattended Upgrades Best Practices for 2026
Based on 2026 security standards and Ubuntu LTS support cycles, follow these best practices:
1. Use LTS Releases
Run Ubuntu 22.04 LTS, 24.04 LTS, or 26.04 LTS for production servers. LTS releases receive 5 years of security updates, with extended support available via Ubuntu Pro.
2. Install Security Updates Only
Configure unattended-upgrades to install
1 | ${distro_codename}-security |
1 | -updates |
1 | -proposed |
3. Test in Staging First
Run identical staging servers with unattended-upgrades enabled. Monitor for issues before deploying to production.
4. Combine with Livepatch
For critical production servers, enable Ubuntu Livepatch to eliminate kernel reboot requirements.
5. Monitor Logs Centrally
Ship unattended-upgrades logs to a central logging system (Graylog, ELK, Splunk) for compliance auditing.
6. Document Update Policy
Maintain a written policy document that specifies:
- When unattended-upgrades runs (day/time)
- Which servers have automatic updates enabled
- Reboot policies and maintenance windows
- Escalation procedures for failed updates
Troubleshooting Unattended Upgrades
Problem: Updates Not Installing
Check systemd timer status:
2
systemctl status apt-daily.timer
If disabled, enable them:
2
sudo systemctl enable --now apt-daily.timer
Problem: APT Lock Errors
If you encounter persistent lock errors, wait for unattended-upgrades to complete or kill the process:
2
3
sudo rm /var/lib/dpkg/lock*
sudo dpkg --configure -a
Warning: Only kill unattended-upgrades processes if absolutely necessary.
Problem: Held Packages Not Updating
Check for held packages:
Unhold packages if safe:
Conclusion: Secure Your Ubuntu Server with Unattended Upgrades
Configuring Ubuntu unattended upgrades is a critical step in securing your Linux servers in 2026. With automatic security updates, you reduce the attack surface and ensure compliance with modern security standards.
Remember these key takeaways:
- Install unattended-upgrades on all Ubuntu 22.04, 24.04, and 26.04 LTS servers
- Configure security updates only for production environments
- Define clear maintenance windows to avoid package contention
- Combine with Ubuntu Livepatch for rebootless kernel patching
- Monitor logs and test in staging before deploying to production
By following this guide, your Ubuntu servers will automatically receive security updates, keeping them protected against the latest threats without constant manual intervention.
- About the Author
- Latest Posts
Mark is a senior content editor at Text-Center.com and has more than 20 years of experience with linux and windows operating systems. He also writes for Biteno.com
