unattended upgrade not picking up latest updates

Question

I am new to ubuntu unattended upgrades and have this setup on our VMs. we have ubuntu repos locally on a Landscape repository VM and all the clients connect to repo to download and update the packages.

so the situation is, unattended upgrade doesn't run automatically nor it doesn't shows list of packages that can be upgraded when I do --dry-run. However apt-get upgrade -s gives me the list of upgradable packages. Yes, apt-get upgrade will look for configs defined in /etc/apt/sources.list. please let me know if I am missing the proper configs on /etc/apt/apt.conf.d/50unattended-upgrades.

*# less /etc/apt/apt.conf.d/50unattended-upgrades
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Origins-Pattern {
        "o=landscape.int.com/repository/standalone/elastic,a=stable,c=main";
        "o=landscape.int.com/repository/standalone/microsoft-${distro_codename},a=${distro_codename},c=main";
        "o=landscape.int.com/repository/standalone/puppet,a=${distro_codename},c=puppet";
        "origin=${distro_id},codename=${distro_codename}";
        "origin=${distro_id},codename=${distro_codename}-security";
        "origin=${distro_id},codename=${distro_codename}-updates";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
};
// List of days in the week that updates should be applied.
// The days can be specified as localized abbreviated or full names.
// Or as integers where "0" is Sunday, "1" is Monday etc.
// Require Unattended-upgrades version >=0.91 to work, else it is ignored
Unattended-Upgrade::Update-Days {
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "false";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";*

For example, when I run mdatp upgrade using apt-get

# apt-get upgrade mdatp
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  auditd libauparse0
Use 'apt autoremove' to remove them.
The following packages have been kept back:
  linux-generic linux-headers-generic linux-image-generic sosreport ubuntu-advantage-tools ubuntu-pro-client-l10n
The following packages will be upgraded:
  amd64-microcode apparmor apport apt apt-transport-https apt-utils base-files bash bind9-dnsutils bind9-host bind9-libs binutils binutils-common binutils-x86-64-linux-gnu bsdextrautils bsdutils
  busybox-initramfs busybox-static ca-certificates cloud-init coreutils cpio cryptsetup cryptsetup-bin cryptsetup-initramfs curl dirmngr distro-info distro-info-data dmeventd dmidecode dmsetup
  dpkg dpkg-dev e2fsprogs eject ethtool fdisk....

Truncated output of unattended-upgrade --dry-run -d

Allowed origins are: o=landscape.int.com/repository/standalone/elastic,a=stable,c=main, o=landscape.int.com/repository/standalone/microsoft-jammy,a=jammy,c=main, o=landscape.int.com/repository/standalone/puppet,a=jammy,c=puppet, origin=Ubuntu,codename=jammy, origin=Ubuntu,codename=jammy-security, origin=Ubuntu,codename=jammy-updates
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/landscape.int.com_repository_standalone_microsoft-jammy_dists_jammy_main_binary-amd64_Packages'  a=jammy,c=main,v=,o=,l= arch='amd64' site='landscape.int.com' IndexType='Debian Package Index' Size=153289 ID:15> with -32768 pin
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/landscape.int.com_repository_standalone_microsoft-jammy_dists_jammy_main_binary-amd64_Packages'  a=jammy,c=main,v=,o=,l= arch='amd64' site='landscape.int.com' IndexType='Debian Package Index' Size=153289 ID:15>

score 0 · Answer 1 · answered May 14 '25 at 12:56

The reason not all updates are immediately picked up is because Ubuntu works with a system of phased updates. In the output of apt-get, you see the packages that are not immediately taken in the line with the somewhat unfortunate formulation The following packages have been kept back (this has in the mean time been changed to the more clear The following upgrades have been deferred due to phasing).

So in summary, I would just trust the system and rest assure that any updates will be installed.

score 0 · Answer 2 · answered May 16 '25 at 13:44

Managed to fix it. Issue was with the Origin. The landscape server package metadata was missing Origin. It contains site, archive and component so had to modify 50unattended-upgrades file to "site=landscape.int.com,a=jammy" that helped. I am able to see the list of packages to be upgraded when I do #unattended-upgrade --dry-run -d

unattended upgrade not picking up latest updates

2 Answers2