diff --git a/defaults/main.yml b/defaults/main.yml
index dd1e720..8342e3a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,6 +8,7 @@ apt_conf_auto_clean_interval: 0
 apt_conf_purge_list:
   - 00trustcdrom
   - 15hobbit-plugins-update-stamp
+  - 20auto-upgrades
   - 20listchanges
   - 70debconf
 apt_conf_purge_manage: true
diff --git a/templates/etc/apt/apt.conf.d/10periodic.conf.j2 b/templates/etc/apt/apt.conf.d/10periodic.conf.j2
index a8ca313..88349d3 100644
--- a/templates/etc/apt/apt.conf.d/10periodic.conf.j2
+++ b/templates/etc/apt/apt.conf.d/10periodic.conf.j2
@@ -8,3 +8,8 @@ APT::Periodic::Download-Upgradeable-Packages "{{ apt_conf_download_upgradeable_p
 
 # Do "apt-get autoclean" every n-days (0=disable)
 APT::Periodic::AutocleanInterval "{{ apt_conf_auto_clean_interval }}";
+
+# Run the “unattended-upgrade” security upgrade script every n-days (0=disabled)
+# Requires the package “unattended-upgrades” and will write
+# a log in /var/log/unattended-upgrades
+APT::Periodic::Unattended-Upgrade "{{ apt_unattended_upgrades | int }}";