diff --git a/playbooks/roles/base/repos/tasks/Debian.yaml b/playbooks/roles/base/repos/tasks/Debian.yaml
index db0b156276..9dff540e0b 100644
--- a/playbooks/roles/base/repos/tasks/Debian.yaml
+++ b/playbooks/roles/base/repos/tasks/Debian.yaml
@@ -25,3 +25,25 @@
     src: 'sources.list.{{ ansible_facts.lsb.codename }}.{{ ansible_facts.architecture }}'
     dest: /etc/apt/sources.list
   notify: Update apt cache
+
+- name: Configure Ubuntu ESM
+  block:
+    # Note technically this requires ubuntu-advantage-tools to be installed
+    # but the above notify to update apt caches won't have run by the time
+    # we get here. That should be ok because the Xenial nodes have all been
+    # around long enough to have ua installed.
+    - name: Get UA status
+      command: "ua status"
+      register: uastatus
+    - name: Attach UA
+      command: "ua attach --no-auto-enable {{ ubuntu_advantage_token }}"
+      when: "'This machine is not attached to a UA subscription.' in uastatus.stdout"
+      no_log: true
+    - name: Enable ESM
+      command: "ua enable esm-infra"
+      when: "'esm-infra     yes                enabled' not in uastatus.stdout"
+  when:
+    - ubuntu_advantage_token is defined
+    - enable_ubuntu_esm is defined and enable_ubuntu_esm
+    - ansible_distribution == 'Ubuntu'
+    - ansible_distribution_release == 'xenial'
diff --git a/playbooks/roles/base/server/files/50unattended-upgrades b/playbooks/roles/base/server/files/50unattended-upgrades
index 2634307d67..2fce27225b 100644
--- a/playbooks/roles/base/server/files/50unattended-upgrades
+++ b/playbooks/roles/base/server/files/50unattended-upgrades
@@ -5,6 +5,7 @@ Unattended-Upgrade::Allowed-Origins {
     "${distro_id} ${distro_codename}-security";
     "${distro_id} ${distro_codename}-updates";
 //  "${distro_id} ${distro_codename}-proposed-updates";
+    "${distro_id}ESM ${distro_codename}-infra-security";
 };
 
 // List of packages to not update