[dspillett]

MS push having automatic unattended updates turned on. Azure's security recs complains without end if you don't. Much like desktop Windows deciding when it should update & reboot.

I see the argument for getting security updates out there ASAP, but this case proves my point that it is a bad idea to do it automatically [unless perhaps there is a serious remotely vulnerable actively exploited issue] on any sort of production environment. Deploy to test environments and verify (at very least smoke test) first then apply elsewhere. If you don't have test environments, at least do the deploy to prod/other at your control when someone is available to quickly take action regarding any unexpected issues.

So the initial problem may be with Ubuntu, or upstream systemd, but MS policies magnified it significantly.