diff --git a/actions/upgrades b/actions/upgrades
index f1802e0fb..d92699c6b 100755
--- a/actions/upgrades
+++ b/actions/upgrades
@@ -18,6 +18,37 @@ LOG_FILE = '/var/log/unattended-upgrades/unattended-upgrades.log'
 BUSTER_BACKPORTS_RELEASE_FILE_URL = \
     'https://deb.debian.org/debian/dists/buster-backports/Release'
 
+# Whenever these preferences needs to change, increment the version number
+# upgrades app. This ensures that setup is run again and the new contents are
+# overwritten on the old file.
+APT_PREFERENCES = '''Explanation: This file is managed by FreedomBox, do not edit.
+Explanation: Allow carefully selected updates to 'freedombox' from backports.
+Package: freedombox
+Pin: release a=buster-backports
+Pin-Priority: 500
+
+Explanation: matrix-synapse 0.99.5 introduces room version 4. Older version
+Explanation: 0.99.2 in buster won't be able join newly created rooms.
+Package: matrix-synapse
+Pin: release a=buster-backports
+Pin-Priority: 500
+
+Explanation: matrix-synapse >= 1.2 requires python3-service-identity >= 18.1
+Package: python3-service-identity
+Pin: release a=buster-backports
+Pin-Priority: 500
+
+Explanation: matrix-synapse >= 1.5 requires python3-typing-extensions >= 3.7.4
+Package: python3-typing-extensions
+Pin: release a=buster-backports
+Pin-Priority: 500
+
+Explanation: matrix-synapse >= 1.11 requires python3-signedjson >= 1.1.0
+Package: python3-signedjson
+Pin: release a=buster-backports
+Pin-Priority: 500
+'''
+
 
 def parse_arguments():
     """Return parsed command line arguments as dictionary"""
@@ -31,6 +62,7 @@ def parse_arguments():
     subparsers.add_parser('disable-auto', help='Disable automatic upgrades.')
     subparsers.add_parser('get-log', help='Print the automatic upgrades log')
 
+    subparsers.add_parser('setup', help='Setup apt preferences')
     subparsers.add_parser('setup-repositories',
                           help='Setup software repositories for FreedomBox')
 
@@ -156,11 +188,23 @@ def _check_and_backports_sources():
 
 def _add_apt_preferences():
     """Setup APT preferences to upgrade selected packages from backports."""
+    base_path = pathlib.Path('/etc/apt/preferences.d')
     for file_name in ['50freedombox.pref', '50freedombox2.pref']:
-        full_path = pathlib.Path('/etc/apt/preferences.d') / file_name
+        full_path = base_path / file_name
         if full_path.exists():
             full_path.unlink()
 
+    # Don't try to remove 50freedombox3.pref as this file is shipped with the
+    # Debian package and is removed using maintainer scripts.
+
+    with open(base_path / '50freedombox4.pref', 'w') as file_handle:
+        file_handle.write(APT_PREFERENCES)
+
+
+def subcommand_setup(_):
+    """Setup apt preferences."""
+    _add_apt_preferences()
+
 
 def subcommand_setup_repositories(_):
     """Setup software repositories needed for FreedomBox.
@@ -170,7 +214,6 @@ def subcommand_setup_repositories(_):
 
     """
     _check_and_backports_sources()
-    _add_apt_preferences()
 
 
 def main():
diff --git a/debian/freedombox.lintian-overrides b/debian/freedombox.lintian-overrides
index 30f31ad68..13f87a95e 100644
--- a/debian/freedombox.lintian-overrides
+++ b/debian/freedombox.lintian-overrides
@@ -15,6 +15,3 @@ freedombox binary: non-standard-apache2-configuration-name *
 # web servers. At some point we would like to work with other web servers but
 # that requires significant effort.
 freedombox binary: web-application-should-not-depend-unconditionally-on-apache2
-
-# FreedomBox takes over local administration of a system.
-freedombox binary: package-installs-apt-preferences etc/apt/preferences.d/50freedombox3.pref
diff --git a/debian/freedombox.maintscript b/debian/freedombox.maintscript
index 0ae0f085e..9349c7399 100644
--- a/debian/freedombox.maintscript
+++ b/debian/freedombox.maintscript
@@ -9,3 +9,4 @@ rm_conffile /etc/plinth/modules-enabled/disks 0.15.3+ds-1~
 rm_conffile /etc/plinth/modules-enabled/udiskie 0.39.0~
 rm_conffile /etc/plinth/modules-enabled/restore 20.1~
 rm_conffile /etc/plinth/modules-enabled/repro 20.1~
+rm_conffile /etc/apt/preferences.d/50freedombox3.pref 20.5~
diff --git a/debian/postrm b/debian/postrm
index decc0700f..244f5736e 100755
--- a/debian/postrm
+++ b/debian/postrm
@@ -25,6 +25,10 @@ purge)
     if [ -e '/etc/apt/preferences.d/50freedombox2.pref' ]; then
         rm -f /etc/apt/preferences.d/50freedombox2.pref
     fi
+
+    if [ -e '/etc/apt/preferences.d/50freedombox4.pref' ]; then
+        rm -f /etc/apt/preferences.d/50freedombox4.pref
+    fi
     ;;
 esac
 
diff --git a/plinth/modules/upgrades/__init__.py b/plinth/modules/upgrades/__init__.py
index 4293ea0b7..d737f2eb1 100644
--- a/plinth/modules/upgrades/__init__.py
+++ b/plinth/modules/upgrades/__init__.py
@@ -13,7 +13,7 @@ from plinth import menu
 
 from .manifest import backup  # noqa, pylint: disable=unused-import
 
-version = 1
+version = 2
 
 is_essential = True
 
@@ -86,7 +86,14 @@ def init():
 def setup(helper, old_version=None):
     """Install and configure the module."""
     helper.install(managed_packages)
-    helper.call('post', actions.superuser_run, 'upgrades', ['enable-auto'])
+
+    # Enable automatic upgrades but only on first install
+    if not old_version:
+        helper.call('post', actions.superuser_run, 'upgrades', ['enable-auto'])
+
+    # Update apt preferences whenever on first install and on version
+    # increment.
+    helper.call('post', actions.superuser_run, 'upgrades', ['setup'])
 
 
 def is_enabled():
diff --git a/plinth/modules/upgrades/data/etc/apt/preferences.d/50freedombox3.pref b/plinth/modules/upgrades/data/etc/apt/preferences.d/50freedombox3.pref
deleted file mode 100644
index b7a06d9cb..000000000
--- a/plinth/modules/upgrades/data/etc/apt/preferences.d/50freedombox3.pref
+++ /dev/null
@@ -1,26 +0,0 @@
-Explanation: This file is managed by FreedomBox, do not edit.
-Explanation: Allow carefully selected updates to 'freedombox' from backports.
-Package: freedombox
-Pin: release a=buster-backports
-Pin-Priority: 500
-
-Explanation: matrix-synapse 0.99.5 introduces room version 4. Older version
-Explanation: 0.99.2 in buster won't be able join newly created rooms.
-Package: matrix-synapse
-Pin: release a=buster-backports
-Pin-Priority: 500
-
-Explanation: matrix-synapse >= 1.2 requires python3-service-identity >= 18.1
-Package: python3-service-identity
-Pin: release a=buster-backports
-Pin-Priority: 500
-
-Explanation: matrix-synapse >= 1.5 requires python3-typing-extensions >= 3.7.4
-Package: python3-typing-extensions
-Pin: release a=buster-backports
-Pin-Priority: 500
-
-Explanation: matrix-synapse >= 1.11 requires python3-signedjson >= 1.1.0
-Package: python3-signedjson
-Pin: release a=buster-backports
-Pin-Priority: 500