diff --git a/roles/common/tasks/unattended-upgrades.yml b/roles/common/tasks/unattended-upgrades.yml
index 582c1eb..da7c2fb 100644
--- a/roles/common/tasks/unattended-upgrades.yml
+++ b/roles/common/tasks/unattended-upgrades.yml
@@ -19,11 +19,3 @@
     owner: root
     group: root
     mode: 0644
-
-- name: Unattended reboots configured
-  template:
-    src: 60unattended-reboot.j2
-    dest: /etc/apt/apt.conf.d/60unattended-reboot
-    owner: root
-    group: root
-    mode: 0644
diff --git a/roles/common/templates/50unattended-upgrades.j2 b/roles/common/templates/50unattended-upgrades.j2
index 0c55b70..87c4b07 100644
--- a/roles/common/templates/50unattended-upgrades.j2
+++ b/roles/common/templates/50unattended-upgrades.j2
@@ -1,32 +1,45 @@
 // Automatically upgrade packages from these (origin:archive) pairs
+//
+// Note that in Ubuntu security updates may pull in new dependencies
+// from non-security sources (e.g. chromium). By allowing the release
+// pocket these get automatically pulled in.
 Unattended-Upgrade::Allowed-Origins {
     "${distro_id}:${distro_codename}-security";
+    // Extended Security Maintenance; doesn't necessarily exist for
+    // every release and this system may not have it installed, but if
+    // available, the policy for updates is such that unattended-upgrades
+    // should also install from here by default.
+    "${distro_id}ESM:${distro_codename}";
     "${distro_id}:${distro_codename}-updates";
-//  "${distro_id}:${distro_codename}-proposed";
-//  "${distro_id}:${distro_codename}-backports";
+    //	"${distro_id}:${distro_codename}-proposed";
+    //	"${distro_id}:${distro_codename}-backports";
 };
 
 // List of packages to not update (regexp are supported)
 Unattended-Upgrade::Package-Blacklist {
-//  "vim";
-//  "libc6";
-//  "libc6-dev";
-//  "libc6-i686";
+//	"vim";
+//	"libc6";
+//	"libc6-dev";
+//	"libc6-i686";
 };
 
+// This option will controls whether the development release of Ubuntu will be
+// upgraded automatically.
+Unattended-Upgrade::DevRelease "false";
+
 // This option allows you to control if on a unclean dpkg exit
 // unattended-upgrades will automatically run
 //   dpkg --force-confold --configure -a
 // The default is true, to ensure updates keep getting installed
-//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
 
 // Split the upgrade into the smallest possible chunks so that
-// they can be interrupted with SIGUSR1. This makes the upgrade
+// they can be interrupted with SIGTERM. This makes the upgrade
 // a bit slower but it has the benefit that shutdown while a upgrade
 // is running is possible (with a small delay)
-//Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::MinimalSteps "true";
 
-// Install all unattended-upgrades when the machine is shuting down
+// Install all unattended-upgrades when the machine is shutting down
 // instead of doing it in the background while the machine is running
 // This will (obviously) make shutdown slower
 //Unattended-Upgrade::InstallOnShutdown "true";
@@ -41,19 +54,43 @@ Unattended-Upgrade::Package-Blacklist {
 // is to always send a mail if Unattended-Upgrade::Mail is set
 //Unattended-Upgrade::MailOnlyOnError "true";
 
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
 // Do automatic removal of new unused dependencies after the upgrade
 // (equivalent to apt-get autoremove)
-//Unattended-Upgrade::Remove-Unused-Dependencies "false";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
 
 // Automatically reboot *WITHOUT CONFIRMATION*
 //  if the file /var/run/reboot-required is found after the upgrade
-//Unattended-Upgrade::Automatic-Reboot "false";
+Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot.enabled|lower }}";
 
 // If automatic reboot is enabled and needed, reboot at the specific
 // time instead of immediately
 //  Default: "now"
-//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_reboot.time }}";
 
 // Use apt bandwidth limit feature, this example limits the download
 // speed to 70kb/sec
 //Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+Unattended-Upgrade::SyslogEnable "true";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Keep the custom conffile when upgrading
+Dpkg::Options {
+   "--force-confdef";
+   "--force-confold";
+};
diff --git a/roles/common/templates/60unattended-reboot.j2 b/roles/common/templates/60unattended-reboot.j2
deleted file mode 100644
index 6af4912..0000000
--- a/roles/common/templates/60unattended-reboot.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot.enabled|lower }}";
-Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_reboot.time }}";