On Ubuntu Server 26.04 LTS
A complete guide to configuring background updates, setting up scheduled reboots, and verifying that security patches are installed correctly on your system.
By default, Ubuntu Server 26.04 LTS comes with the automatic update service enabled. However, many administrators disable it during custom installations, or find that VPS hosting templates ship with background updates turned off. Follow these clear steps to verify, configure, and manage automatic security patches on your server.
Step 1. Install and Turn On unattended-upgrades
First, you must ensure that the update package is installed on your server. If it is already installed, running the install command will update it to the newest version.
sudo apt update sudo apt install unattended-upgrades
This command checks for new packages and installs the unattended update software on your system.
sudo dpkg-reconfigure -plow unattended-upgrades
This opens an interactive screen in your server terminal. Use the arrow keys to select Yes, then press Enter. Selecting yes tells the system to configure background updates to run automatically.
cat /etc/apt/apt.conf.d/20auto-upgrades
Running this command should display two lines showing that package lists are updated daily, and security upgrades are run daily. If the output shows 1 for both lines, the setup is successful.
Step 2. Customize Update Rules
The main configuration file controls which files are updated, how errors are reported, and whether the server reboots after applying updates. You can modify these settings by opening the primary configuration file.
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Use nano or your preferred terminal text editor to open the configuration settings.
Many security patches, especially kernel updates, require a system reboot before they take effect. You can configure the system to reboot automatically at a quiet hour instead of waiting for manual action. Locate the following lines, remove the leading comment slashes, and set them as shown:
Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-Time "02:00";
This schedules the server reboot for 2 AM local time if a patch requires a restart. Active users will be warned before the reboot occurs.
If your server is set up to send outgoing email using tools like Postfix, you can receive alerts whenever an upgrade fails or when new security patches are installed. Find the mail line, remove the comment characters, and add your address:
Unattended-Upgrade::Mail "your-email@example.com";
Replace the placeholder address with your actual email. Save the file by pressing Ctrl+O, then exit nano by pressing Ctrl+X.
Step 3. Perform a Safe Test Run
After changing your configuration settings, you should run a simulation. This ensures that the update program is working, understands your rules, and can read all package archives without failing.
sudo unattended-upgrade --dry-run --debug
This runs a test that mimics the background update process. The system reads package files and writes logs, but it does not modify or upgrade any software packages.
Review the output in your terminal window. The simulator should finish without displaying any crash traces or configuration error messages. It will show a list of packages that would be updated in a real run, ending with lines like this:
pkgs that look like they should be upgraded: 0 Fetched 0 B in 0s
If your server is fully up to date, it is normal to see zero package updates in the dry run output.
Step 4. Monitor Log Files and Service Health
You can confirm that security updates are running regularly by checking the status of the background service and reading the local system logs.
sudo systemctl status unattended-upgrades
This displays the current service status. The output should show the service is active and running, confirming the update agent is listening for tasks.
sudo tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.log
This displays the last fifty lines of the main update log. Look for entries showing updates running on previous days, which confirms that background system maintenance is working correctly.
Ubuntu Pro and Expanded Security Maintenance (ESM)
For long-term production servers, standard security updates last for five years. To get security updates for up to ten years, you can attach your server to Ubuntu Pro. Ubuntu Pro includes Expanded Security Maintenance (ESM) which automatically covers additional packages in the Ubuntu universe archive. The service is free for up to five personal machines.
sudo pro attach YOUR_TOKEN_HERE
Replace YOUR_TOKEN_HERE with your actual free token from the official Ubuntu Pro dashboard. Once attached, the background updater will automatically download and apply ESM security patches.
You can sign up for a free subscription on the Ubuntu Pro website. To learn more about ESM configuration and updates, see the Ubuntu Pro Client manual.
Automatic security updates are a powerful tool for server safety. They remove the chore of logging in daily to apply critical updates, reducing the window of vulnerability to new exploits. Take a few minutes to configure unattended updates on all your servers, and check the logs occasionally to ensure that your installations stay fully protected.
Frequently Asked Questions
What are automatic updates on Ubuntu Server called?
Automatic updates are handled by a package called unattended-upgrades. It is installed by default on modern Ubuntu releases, including Ubuntu Server 26.04 LTS.
Does enabling automatic updates reboot my Ubuntu Server?
By default, the update system does not reboot your server. However, if a security update (such as a kernel patch) requires a reboot, you can configure the system to reboot automatically at a specific time, such as 2 AM.
How do I disable automatic updates on Ubuntu Server?
You can disable automatic updates by running sudo dpkg-reconfigure -plow unattended-upgrades and selecting No in the interactive menu. This updates your configuration to stop automatic update runs.
Where are the logs for automatic updates located on Ubuntu?
The log files are stored in the directory /var/log/unattended-upgrades/. The main file is unattended-upgrades.log, which lists every package that was upgraded or checked.
How do I test if automatic updates are configured correctly?
You can simulate the update run by executing sudo unattended-upgrade –dry-run –debug. This runs a safe test without applying any changes to your packages.
What packages are automatically updated on Ubuntu Server?
By default, only security updates are installed. You can customize this in the configuration file located at /etc/apt/apt.conf.d/50unattended-upgrades to include other repositories, though keeping it restricted to security patches is recommended.
More Ubuntu guides: How to Install Ubuntu Server · Samba File Server Setup · Ubuntu Keyboard Shortcuts · How to share files with Windows