diff --git a/roles/bootstrap-os/defaults/main.yml b/roles/bootstrap-os/defaults/main.yml
index 9b31456ff5d4e0d75eaf25053755c573bca1c372..bb7ca1f91e8c75e17c568af7a58e24630e79acb8 100644
--- a/roles/bootstrap-os/defaults/main.yml
+++ b/roles/bootstrap-os/defaults/main.yml
@@ -11,6 +11,10 @@ coreos_locksmithd_disable: false
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true
 
+## Ubuntu specific variables
+# Disable unattended-upgrades for Linux kernel and all packages start with linux- on Ubuntu
+ubuntu_kernel_unattended_upgrades_disabled: false
+
 fedora_coreos_packages:
   - python
   - python3-libselinux
diff --git a/roles/bootstrap-os/tasks/debian.yml b/roles/bootstrap-os/tasks/debian.yml
index 9b18baa06425c550598965349f9e2f3abcf1d653..5835ae1643ae7f0aee7d3fe212b674ff81fa2c16 100644
--- a/roles/bootstrap-os/tasks/debian.yml
+++ b/roles/bootstrap-os/tasks/debian.yml
@@ -62,3 +62,14 @@
     - '"changed its" in bootstrap_update_apt_result.stdout'
     - '"value from" in bootstrap_update_apt_result.stdout'
   ignore_errors: true
+
+- name: Disable kernel unattended-upgrades
+  lineinfile:
+    path: /etc/apt/apt.conf.d/50unattended-upgrades
+    insertafter: "Unattended-Upgrade::Package-Blacklist"
+    line: '"linux-";'
+    state: present
+  become: true
+  when:
+    - os_release_dict['ID'] == 'ubuntu'
+    - ubuntu_kernel_unattended_upgrades_disabled