Si on ajoute des repositories APT à Debian, et que l'on souhaite que unattended-upgrade les utilise lors des mises à jour, il faut les rajouter.

Pour cela, lancer la commande unattended-upgrade -d --dry-run|grep "not allowed"
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/repo.mongodb.org_apt_ubuntu_dists_bionic_mongodb-org_4.0_multiverse_binary-amd64_Packages'  a=bionic,c=multiverse,v=,o=mongodb,l=mongodb arch='amd64' site='repo.mongodb.org' IndexType='Debian Package Index' Size=472074 ID:30> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/artifacts.elastic.co_packages_oss-7.x_apt_dists_stable_main_binary-amd64_Packages'  a=stable,c=main,v=,o=elastic,l=. stable arch='amd64' site='artifacts.elastic.co' IndexType='Debian Package Index' Size=319531 ID:28> with -32768 pin

Dans cet exemple, deux repositories additionnels ne sont pas pris en compte par la mise à jour.
Il faut les rajouter dans le fichier de configuration /etc/apt/apt.conf.d/50unattended-upgrades.
La syntaxe de cette partie est de la forme : origine:archive (o= et a= dans la commande ci-dessus) :
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
        "${distro_id}:${distro_codename}-backports";
        "Freight:stable";
      "mongodb:bionic";
      "elastic:stable";
};
Si la section "Allowed-Origins" n'existe pas, il faut alors utiliser "Origins-Pattern" :
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        // Software will be the latest available for the named release,
        // but the Debian release itself will not be automatically upgraded.
//      "origin=Debian,codename=${distro_codename}-updates";
//      "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
        "o=Debian,a=stable";
        "o=Debian,a=stable-security";
        "o=Debian,a=stable-updates";
//      "o=Debian,a=proposed-updates";
//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};


En relançant la commande unattended-upgrade -d --dry-run|grep "not allowed", plus rien ne sort, et donc tous les paquets seront mis à jour