How to Configure Unattended Upgrades on Debian 13, 12 and 11

Automatic patching on Debian is useful only when the system installs the right packages, at the right time, with enough logging for you to see what happened later. A reliable way to configure unattended upgrades on Debian is to enable the APT periodic switch, keep Debian security origins enabled, and then add only the local policy choices your server or laptop actually needs.

This workflow applies to Debian 13 (Trixie), Debian 12 (Bookworm), and Debian 11 (Bullseye). The package names, command names, systemd unit names, and default timer layout are consistent across those releases; package versions and log contents will differ by system.

Install and Enable Unattended Upgrades on Debian

The unattended-upgrades package is in the default Debian repositories. It provides the upgrade backend, the default configuration file, the shutdown helper service, and the command-line tool used for manual dry runs.

Check Whether Unattended Upgrades Is Already Installed

Some Debian desktop installs already include unattended-upgrades, while minimal, server, and custom images may not. Check the package state first so you know whether you are enabling an existing setup or installing it from scratch.

dpkg-query -W -f='${db:Status-Abbrev} ${binary:Package} ${Version}\n' unattended-upgrades 2>/dev/null || true

A line beginning with ii means the package is installed. No output, or a status that does not begin with ii, means you should install the package before continuing.

Refresh APT Metadata

Refresh the package index before installing. This updates APT’s view of enabled repositories without upgrading unrelated packages.

sudo apt update

Install the Core Package

Install unattended-upgrades from Debian’s default package sources.

sudo apt install unattended-upgrades

The package installs both /usr/bin/unattended-upgrade and /usr/bin/unattended-upgrades on Debian 13, 12, and 11. The Debian unattended-upgrade man page uses the singular command name, so use unattended-upgrade for manual dry runs.

Install Optional Helper Packages

Install optional helpers only when they match your policy. They are not all required for a basic security-update setup.

Package	Role	When to Install It
apt-config-auto-update	Adds APT periodic configuration for package-list refreshes, upgradeable-package downloads, and archive cleanup.	Use it when you want Debian’s packaged automatic cache-update defaults instead of managing those APT periodic options yourself.
powermgmt-base	Provides power-state checks used by the package-level OnlyOnACPower option.	Use it on laptops and other systems where upgrades should pause on battery power.
apt-listchanges	Shows package changelog and news entries before or during upgrades.	Use it when you want more context about package changes, especially on administered servers.
bsd-mailx plus an MTA such as postfix	Provides local mail sending for unattended-upgrades reports.	Use it when the system should email upgrade results or errors to an administrator.

For a laptop-oriented setup, install the power helper.

sudo apt install powermgmt-base

For package-list refresh and archive housekeeping defaults, install the APT periodic helper.

sudo apt install apt-config-auto-update

For package changelog and NEWS summaries during APT work, install the apt-listchanges package. When configured as an APT plugin, it can show the relevant package change history during upgrades.

sudo apt install apt-listchanges

For mail reports, install a mail client and a mail transfer agent. Postfix opens an interactive package configuration prompt; choose a direct-send or relay setup that matches how your server is allowed to send mail.

sudo apt install bsd-mailx postfix

Enable Automatic Upgrade Runs

Installing the package is not the same as enabling the periodic upgrade action on every Debian image. Make the activation explicit by creating /etc/apt/apt.conf.d/20auto-upgrades with the two APT periodic settings unattended-upgrades expects.

printf '%s\n' \
'APT::Periodic::Update-Package-Lists "1";' \
'APT::Periodic::Unattended-Upgrade "1";' | sudo tee /etc/apt/apt.conf.d/20auto-upgrades > /dev/null

The value "1" means the action can run once per day. The systemd timers decide when the daily check happens; the APT periodic values decide whether the action is allowed when the timer fires.

Verify the APT Periodic Settings

Confirm that APT can read the activation file.

apt-config dump | grep -E 'APT::Periodic::(Update-Package-Lists|Unattended-Upgrade)'

The two enabled values should appear.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

If APT::Periodic::Unattended-Upgrade is missing or set to "0", the timer can still wake up, but it will not perform unattended package installation.

Verify the Systemd Timers

Debian uses systemd timers for the normal recurring work. Check the timers after installing and enabling the package.

systemctl list-timers --all 'apt-daily*' --no-pager

You should see apt-daily.timer and apt-daily-upgrade.timer. The exact NEXT and LAST timestamps vary because Debian adds randomized delay to reduce mirror load.

If either APT timer is disabled, re-enable the timers. Do not treat unattended-upgrades.service as the daily scheduler; that service is a shutdown helper installed by the unattended-upgrades package.

sudo systemctl enable --now apt-daily.timer apt-daily-upgrade.timer

Understand Debian’s Unattended Upgrade Files

Debian splits unattended-upgrades behavior across a few small APT configuration fragments. Knowing which file owns which decision prevents the common mistake of editing the wrong setting and wondering why the timer still does nothing.

File	Purpose	Typical Reader Action
/etc/apt/apt.conf.d/20auto-upgrades	Enables or disables periodic package-list updates and unattended upgrade runs.	Create or edit this file when automatic upgrades are not running.
/etc/apt/apt.conf.d/50unattended-upgrades	Debian’s packaged unattended-upgrades policy file with default origins, comments, and optional settings.	Read it for reference. Avoid replacing large sections casually because package updates can offer conffile prompts if it is heavily edited.
/etc/apt/apt.conf.d/52unattended-upgrades-local	A local override file you create for site policy, such as extra origins, email behavior, reboot windows, or package exclusions.	Use it for changes you want to keep separate from Debian’s packaged default file.

The 52unattended-upgrades-local file is not created automatically by apt-config-auto-update. That package installs 10periodic, 15update-stamp, and 20archive for APT periodic behavior. Create 52unattended-upgrades-local yourself when you need local unattended-upgrades policy overrides.

Create a Local Override File

Use a later-numbered file for local settings. The filename matters because APT reads fragments in lexical order.

sudo editor /etc/apt/apt.conf.d/52unattended-upgrades-local

For simple scalar settings, such as email, reboot time, and logging, write only the setting you want to change. For list settings, such as Origins-Pattern, clear the existing list before replacing it; APT appends list entries unless you use #clear, as described in the Debian apt.conf syntax reference.

Configure Unattended Upgrade Origins on Debian

The origin policy controls which package sources are eligible for automatic installation. Debian’s default file uses Origins-Pattern entries that match Release-file metadata such as origin, codename, label, suite, and component.

Review the Default Debian Origin Policy

Debian’s default policy keeps the current release and security archive enabled. That pairing matters because a security fix can depend on a package from the base release archive.

Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian";
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
};

The ${distro_codename} macro expands to your installed release codename, such as trixie, bookworm, or bullseye. This does not upgrade Debian to the next release; it follows the same release you already have configured in APT.

Inspect Available Origin Fields

Use apt-cache policy to inspect the origin, archive, and label values available on your system before adding extra sources to automatic upgrades. The sed filter keeps the output focused on Release metadata; see these sed command examples if you want to adjust the filter.

apt-cache policy | sed -n '/release /p'

Look for fields such as o=Debian, a=stable, n=trixie, and l=Debian. Third-party repositories use their own values, so do not guess origin patterns from a package name alone.

Enable Point Release Updates Automatically

Debian’s -updates archive contains stable point-release updates. Many administrators keep the default security-focused policy; others include -updates so routine stable fixes can land without waiting for manual maintenance.

Create a local override file that replaces the origin list and includes -updates.

sudo tee /etc/apt/apt.conf.d/52unattended-upgrades-local > /dev/null <<'EOF'
#clear Unattended-Upgrade::Origins-Pattern;
Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian";
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-updates,label=Debian";
};
EOF

The #clear line is important. Without it, APT can append your new list entries to the packaged list instead of replacing the list cleanly.

Handle Backports and Proposed Updates Carefully

Backports and proposed updates are not routine security-update sources. Enable them for unattended upgrades only when you already use those archives intentionally and you understand the version movement they introduce.

Source	Automatic Upgrade Policy	Reason
${distro_codename}-updates	Reasonable on many stable systems after review.	Contains stable point-release updates for the current Debian release.
${distro_codename}-backports	Use only for systems that deliberately install packages from backports.	Backports can move selected packages to newer branches than the base release.
${distro_codename}-proposed-updates	Avoid on production systems unless you are explicitly testing proposed updates.	Proposed updates are staged before point-release acceptance.
Third-party APT repositories	Add only after checking the repository’s Release fields and your trust/update policy.	Vendor repositories can have different labels, suites, support windows, and restart behavior.

If you need backports, inspect your actual apt-cache policy output and match the metadata present on your system. A typical backports entry uses the Debian Backports origin and label.

"o=Debian Backports,n=${distro_codename}-backports,l=Debian Backports";

Test Origin Changes

Run a debug dry run after changing origins. The dry run simulates the unattended upgrade process without installing upgrades.

sudo unattended-upgrade --dry-run --debug

The first lines should list the origins unattended-upgrades will allow.

Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=trixie,label=Debian, origin=Debian,codename=trixie,label=Debian-Security, origin=Debian,codename=trixie-security,label=Debian-Security
Initial blacklist:
Initial whitelist (not strict):

Your codename and package list will differ. The important check is that the allowed origins match your intended policy and no Python traceback or APT configuration error appears.

Configure Upgrade Behavior and Notifications

After the origin policy is correct, tune the settings that affect maintenance windows, restarts, notifications, cleanup, and laptop behavior. Put these settings in /etc/apt/apt.conf.d/52unattended-upgrades-local unless you have a specific reason to edit the packaged default file directly.

Exclude Packages from Automatic Upgrades

The package blacklist uses Python regular expressions. Keep exclusions specific; broad patterns can block security updates you actually wanted.

Unattended-Upgrade::Package-Blacklist {
    "postgresql-15$";
    "nginx$";
};

The $ anchor means the pattern matches the end of the package name. For example, "nginx$" matches the package named nginx, while a broad pattern such as "nginx" can also match related package names. Avoid blocking linux-, libc6, openssl, or other base packages unless you have a tested manual patch process for them.

Send Email Reports

Mail reports need both unattended-upgrades settings and a working local mail setup. On a server, only-on-error is usually less noisy than receiving a message for every successful run.

Unattended-Upgrade::Mail "admin@example.com";
Unattended-Upgrade::MailReport "only-on-error";

The supported MailReport values are always, only-on-error, and on-change. Use on-change when you want messages for package changes and errors, but not for quiet no-op runs.

Test local mail delivery after installing bsd-mailx and configuring your MTA.

printf 'Test email from %s\n' "$(hostname)" | mail -s "Debian unattended-upgrades mail test" admin@example.com

Control Automatic Reboots

Unattended-upgrades does not need to reboot after every package update. Reboots happen only when the system has a reboot-required marker and you enable automatic reboot behavior.

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:30";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

For remote servers, set a maintenance time you can tolerate and keep Automatic-Reboot-WithUsers at "false" unless the system is safe to reboot while users are logged in. Before enabling automatic reboots on an SSH-managed host, make sure SSH is installed and enabled on Debian and that you have a fallback access path.

Check whether a reboot is currently pending.

test -f /var/run/reboot-required && cat /var/run/reboot-required || echo "No reboot required"

Control Dependency and Kernel Cleanup

Cleanup settings decide whether packages made unnecessary by an unattended run are removed automatically. Keep broad cleanup conservative on servers where old packages may still be needed for rollback, custom modules, or troubleshooting.

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "false";

Remove-New-Unused-Dependencies targets dependencies that became unused because of the unattended run. Remove-Unused-Dependencies is broader, similar to an unattended autoremove, so leave it disabled unless you have reviewed how autoremove behaves on that system.

Configure Laptop Power and Metered Network Behavior

Debian’s apt-daily-upgrade.service includes ConditionACPower=true on Debian 13, 12, and 11. The package-level power and network options are still useful when the command is run outside the normal timer path or when you want the unattended-upgrades process to make its own skip decision.

Unattended-Upgrade::OnlyOnACPower "true";
Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
Acquire::http::Dl-Limit "500";

OnlyOnACPower needs powermgmt-base. Skip-Updates-On-Metered-Connections depends on network metering information being available, commonly through desktop network management. Acquire::http::Dl-Limit limits APT HTTP download speed in KB/s.

Increase Logging for Troubleshooting

Verbose logging can help while you are checking the setup. Avoid leaving debug logging enabled permanently unless you are investigating a recurring failure.

Unattended-Upgrade::Verbose "true";
Unattended-Upgrade::Debug "false";
Unattended-Upgrade::SyslogEnable "true";
Unattended-Upgrade::SyslogFacility "daemon";

Use Example Debian Maintenance Policies

The right settings depend on how the machine is used. Start with one of these policy examples, then adapt the reboot, mail, and origin choices to your maintenance process.

Security-Only Server Policy

This policy keeps the default Debian and Debian security origins, enables daily unattended runs, emails only failures, and avoids automatic reboots.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Mail "admin@example.com";
Unattended-Upgrade::MailReport "only-on-error";
Unattended-Upgrade::Automatic-Reboot "false";

This is a good starting point when a production server needs automatic security fixes but reboots still require a human maintenance window.

VPS Maintenance Window Policy

This policy allows stable point-release updates, sends mail when packages change or errors occur, and permits reboots during a quiet early-morning window.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
#clear Unattended-Upgrade::Origins-Pattern;
Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian";
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-updates,label=Debian";
};
Unattended-Upgrade::Mail "admin@example.com";
Unattended-Upgrade::MailReport "on-change";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:30";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

Pair this with service monitoring so a rebooted server is checked automatically. If the VPS runs public SSH, web, or database services, combine automatic updates with firewall and brute-force protections rather than treating package updates as the whole security plan.

Laptop or Desktop Policy

This policy avoids upgrades on battery or metered networks and keeps reboots manual. It fits laptops where automatic package installation is helpful but surprise restarts are not.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::OnlyOnACPower "true";
Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
Unattended-Upgrade::Automatic-Reboot "false";

Install powermgmt-base before relying on OnlyOnACPower. Desktop software centers and update notifiers can also manage updates, so avoid creating competing policies unless you know which tool owns the final upgrade action.

Manage Debian Systemd Timers

Unattended-upgrades is tied to APT’s systemd timers on modern Debian. The timers wake APT, and apt.systemd.daily checks the APT periodic values before refreshing package lists, downloading upgradeable packages, or running unattended-upgrade.

Unit	What It Does	Default Debian Behavior
apt-daily.timer	Triggers package-list refresh and download activity through apt-daily.service.	Runs at 06:00 and 18:00 with up to 12 hours of randomized delay.
apt-daily-upgrade.timer	Triggers upgrade and cleanup activity through apt-daily-upgrade.service.	Runs at 06:00 with up to 60 minutes of randomized delay.
apt-daily-upgrade.service	Runs /usr/lib/apt/apt.systemd.daily install.	Checks AC power, runs after common network targets, and then obeys APT periodic settings.
unattended-upgrades.service	Runs the shutdown helper unattended-upgrade-shutdown.	Installed by unattended-upgrades, but it is not the daily scheduling unit.

Inspect Timer and Service Definitions

Use systemctl cat when you need to see the packaged timer schedule or service conditions.

systemctl cat apt-daily.timer apt-daily-upgrade.timer apt-daily-upgrade.service unattended-upgrades.service --no-pager

On Debian 13, 12, and 11, apt-daily-upgrade.service includes ConditionACPower=true. If a laptop is on battery power, systemd can skip the service before unattended-upgrades even starts.

Change the Systemd Timer Schedule

Use a systemd drop-in instead of editing packaged unit files directly. Timer settings such as OnCalendar are repeatable, so reset the old value with a blank assignment before adding the replacement.

sudo systemctl edit apt-daily-upgrade.timer

This example schedules the upgrade timer for 03:00 with up to 30 minutes of randomized delay.

[Timer]
OnCalendar=
OnCalendar=*-*-* 03:00
RandomizedDelaySec=30m
Persistent=true

Reload systemd and restart the timer after saving the drop-in.

sudo systemctl daemon-reload
sudo systemctl restart apt-daily-upgrade.timer
systemctl list-timers --all 'apt-daily*' --no-pager

If you shrink the timer to run more than once per day and you expect unattended-upgrades to attempt installation every time, set the corresponding APT periodic value to "always". Debian’s apt.systemd.daily script treats "always" as an instruction to ignore the stamp file for that action.

printf '%s\n' \
'APT::Periodic::Update-Package-Lists "always";' \
'APT::Periodic::Unattended-Upgrade "always";' | sudo tee /etc/apt/apt.conf.d/20auto-upgrades > /dev/null

Most systems should stay with daily values. More frequent automatic package installation can increase lock contention with manual APT work and should be matched to a real operational need.

Use Cron Only as a Fallback

Cron is useful on unusual systems where systemd timers are unavailable or deliberately disabled. Do not run cron and apt-daily-upgrade.timer for the same job unless you are intentionally creating separate maintenance windows.

sudo crontab -e

A daily 03:00 cron entry uses the singular command path.

0 3 * * * /usr/bin/unattended-upgrade

Disable the packaged upgrade timer if cron becomes the owner of the upgrade run.

sudo systemctl disable --now apt-daily-upgrade.timer

Monitor Unattended Upgrade Activity

Monitoring matters because unattended-upgrades can correctly do nothing when no eligible packages exist. Logs and timer state tell you whether the job ran, what origins were allowed, which packages were considered, and why a run skipped.

Read the Main Log File

The main log lives at /var/log/unattended-upgrades/unattended-upgrades.log. Use the tail command to read recent entries without opening the whole file.

sudo tail -n 80 /var/log/unattended-upgrades/unattended-upgrades.log

The dpkg transaction log is separate and useful when a package unpack or configure step fails.

sudo tail -n 80 /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

Search Logs by Package or Date

Use grep command examples when you need to find a package name, a date, or a repeated error in unattended-upgrades logs.

sudo grep -E 'openssl|linux-image|postgresql' /var/log/unattended-upgrades/unattended-upgrades.log

sudo grep "$(date +%F)" /var/log/unattended-upgrades/unattended-upgrades.log

Use Journalctl for Timer and Service Clues

Use the APT daily upgrade service for timer-run diagnostics and the unattended-upgrades service for shutdown-helper diagnostics.

sudo journalctl -u apt-daily-upgrade.service --since today --no-pager

sudo journalctl -u unattended-upgrades.service --since today --no-pager

If syslog logging is enabled in unattended-upgrades, you can also inspect the configured syslog destination. On many Debian systems using systemd-journald, journal output is the quickest first check.

Troubleshoot Unattended Upgrades on Debian

Timer Runs but No Packages Upgrade

A timer run with no upgraded packages can be normal when no eligible updates exist. First check that the APT periodic switch is enabled, then run a dry run to see which origins are allowed.

apt-config dump | grep -E 'APT::Periodic::(Update-Package-Lists|Unattended-Upgrade)'
sudo unattended-upgrade --dry-run --debug

If the dry run lists only Debian and Debian-Security origins, packages from -updates, backports, or third-party repositories will not install automatically unless you add matching origin patterns.

The 52unattended File Is Missing

A missing 52unattended-upgrades-local file is normal. Debian installs 50unattended-upgrades as the packaged default; local override files are administrator-created. Create 52unattended-upgrades-local only when you need settings that differ from Debian’s default file.

sudo editor /etc/apt/apt.conf.d/52unattended-upgrades-local

Use #clear only when replacing a list such as Origins-Pattern. Single-value options such as Automatic-Reboot-Time or MailReport do not need it.

ConditionACPower Skips the Upgrade Service

On Debian 13, 12, and 11, apt-daily-upgrade.service includes ConditionACPower=true. If the system is a laptop on battery power, systemd can skip the scheduled upgrade service.

systemctl cat apt-daily-upgrade.service --no-pager | grep ConditionACPower
sudo journalctl -u apt-daily-upgrade.service --since today --no-pager

Connect AC power and wait for the next timer run, or start a manual dry run after checking the package state. Do not remove the power condition on a portable system unless automatic upgrades on battery are acceptable.

Dpkg or APT Lock Errors Appear

Lock errors usually mean another APT, dpkg, packagekit, software-center, or unattended-upgrade process is running. Check for active package-manager work before attempting repairs.

pgrep -af '[a]pt|[d]pkg|[u]nattended-upgrade' || true

Wait for active package operations to finish. If no package manager is running and dpkg was interrupted, finish configuration and repair dependencies.

sudo dpkg --configure -a
sudo apt -f install

Do not delete dpkg or APT lock files while a package-manager process is still active. Removing locks from a live transaction can corrupt package state.

Packages Are Kept Back

Unattended-upgrades can keep packages back when dependencies cannot be satisfied from allowed origins, when a package needs an interactive conffile decision, or when the upgrade requires a broader transaction than the unattended policy allows.

sudo apt update
sudo apt --simulate upgrade

Review the simulated transaction before running a manual upgrade. If the held package comes from -updates, backports, or a vendor repository, decide whether that source belongs in unattended-upgrades or whether it should stay manual.

Configuration Syntax Errors Stop Runs

APT configuration syntax requires quoted values and semicolons. A missing semicolon, unescaped quote, or bad list replacement can stop unattended-upgrades before it reaches package selection.

sudo unattended-upgrade --dry-run --debug 2>&1 | sed -n '1,120p'

Look for Python tracebacks, APT parser errors, or unexpected empty origin matches. Re-check list replacement files for #clear when overriding Origins-Pattern.

Email Reports Do Not Arrive

Email failures usually come from a missing mailx provider, a missing or unconfigured MTA, blocked outbound SMTP, or a relay authentication issue.

command -v mail || echo "mail command is missing"
systemctl status postfix --no-pager

If Postfix is installed, inspect its logs after sending a test message.

sudo journalctl -u postfix --since today --no-pager

No Log File Exists Yet

The log directory may not exist until unattended-upgrades has run. Generate a fresh dry-run log, then check the log directory again.

sudo unattended-upgrade --dry-run --debug
sudo ls -l /var/log/unattended-upgrades/

If the dry run works but no timer log appears later, inspect apt-daily-upgrade.service and the APT periodic values. The package can be installed correctly while the periodic switch remains disabled.

Update, Disable, or Remove Unattended Upgrades

Update the Package

Update unattended-upgrades like any other Debian package. Use a targeted package upgrade when you only want to refresh this package.

sudo apt update
sudo apt install --only-upgrade unattended-upgrades

If you installed optional helper packages, update them the same way.

sudo apt install --only-upgrade apt-config-auto-update powermgmt-base apt-listchanges bsd-mailx postfix

Disable Automatic Upgrades Without Removing the Package

Disable the unattended installation action by setting APT::Periodic::Unattended-Upgrade to "0". Keeping package-list refresh enabled lets Debian still check metadata for manual update workflows.

printf '%s\n' \
'APT::Periodic::Update-Package-Lists "1";' \
'APT::Periodic::Unattended-Upgrade "0";' | sudo tee /etc/apt/apt.conf.d/20auto-upgrades > /dev/null

Disable the upgrade timer only when you do not want systemd to wake the upgrade path at all.

sudo systemctl disable --now apt-daily-upgrade.timer

Remove Unattended Upgrades

Remove the core package and any optional packages you installed for this workflow. Keep mail or apt-listchanges packages if another workflow uses them.

sudo apt remove unattended-upgrades

Remove the optional helper packages only when they are no longer needed.

sudo apt remove apt-config-auto-update powermgmt-base

If mail reports and changelog prompts were installed only for this workflow, remove those helpers separately after confirming no other local process needs them.

sudo apt remove apt-listchanges bsd-mailx postfix

If you want a clean local policy reset, remove the local activation and override files you created.

sudo rm -f /etc/apt/apt.conf.d/20auto-upgrades /etc/apt/apt.conf.d/52unattended-upgrades-local

Purge the package only when you also want Debian to remove package-owned configuration files.

sudo apt purge unattended-upgrades

Check installed state after removal.

dpkg-query -W -f='${db:Status-Abbrev} ${binary:Package}\n' unattended-upgrades 2>/dev/null | grep '^ii' || echo "unattended-upgrades is not installed"

Run autoremove separately and review the package list before accepting it.

sudo apt autoremove

Conclusion

Debian is now set up to install eligible updates through APT periodic scheduling, with origin policy, logs, reboot behavior, and notification choices under your control. Before relying on unattended maintenance for exposed systems, add complementary protections such as Fail2Ban on Debian, UFW firewall rules on Debian, and Timeshift snapshots on Debian.