diff --git a/image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml b/image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml
index 32c76ba..d6d9e1f 100644
--- a/image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml
+++ b/image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml
@@ -73,6 +73,8 @@ ubuntu_packages:
     - wget
     - xfsprogs
     - xz-utils
+unapproved_packages: # provide the exact name of the packages that need to be blocked
+    - unattended-upgrades
 repos:
     - register_repo_with_rootfs: true
       name: Ubuntu
diff --git a/image-builder/assets/playbooks/roles/multistrap/tasks/main.yaml b/image-builder/assets/playbooks/roles/multistrap/tasks/main.yaml
index 3083611..a6ce84e 100644
--- a/image-builder/assets/playbooks/roles/multistrap/tasks/main.yaml
+++ b/image-builder/assets/playbooks/roles/multistrap/tasks/main.yaml
@@ -25,6 +25,11 @@
     suffix: multistrap
   register: multistrap_tempdir
 
+- name: "Configure apt with unapproved packages"
+  template:
+    src: unapproved-packages.j2
+    dest: "{{ multistrap_tempdir.path }}/pref.conf"
+
 - name: "write out multistrap config"
   template:
     src: multistrap.conf.j2
@@ -62,6 +67,18 @@
     dest: "{{ rootfs_root }}/etc/systemd/network/99-default.link"
     mode: '0644'
 
+- name: "Configure apt with unapproved packages"
+  template:
+    src: unapproved-packages.j2
+    dest: "{{ rootfs_root }}/etc/apt/preferences.d/unapproved-packages.pref"
+
+- name: "Configure apt to remove unapproved packages from update"
+  ansible.builtin.lineinfile:
+    path: "{{ rootfs_root }}/etc/apt/apt.conf.d/01autoremove"
+    insertafter: "multiverse/metapackages"
+    line: '        "{{ item }}";'
+  with_items: "{{ unapproved_packages }}"
+
 - name: "Lock sources.list to prevent conflict and duplicates with multistrap repo list"
   shell: |
         set -e
diff --git a/image-builder/assets/playbooks/roles/multistrap/templates/multistrap.conf.j2 b/image-builder/assets/playbooks/roles/multistrap/templates/multistrap.conf.j2
index 2d28eda..4193304 100644
--- a/image-builder/assets/playbooks/roles/multistrap/templates/multistrap.conf.j2
+++ b/image-builder/assets/playbooks/roles/multistrap/templates/multistrap.conf.j2
@@ -14,6 +14,8 @@ unpack=true
 # enable MultiArch for the specified architectures
 # default is empty
 #multiarch=allowed
+# apt preferences file
+aptpreferences=pref.conf
 # the order of sections is not important.
 # the bootstrap option determines which repository
 # is used to calculate the list of Priority: required packages.
diff --git a/image-builder/assets/playbooks/roles/multistrap/templates/unapproved-packages.j2 b/image-builder/assets/playbooks/roles/multistrap/templates/unapproved-packages.j2
new file mode 100644
index 0000000..4c929c3
--- /dev/null
+++ b/image-builder/assets/playbooks/roles/multistrap/templates/unapproved-packages.j2
@@ -0,0 +1,6 @@
+{% for package in unapproved_packages %}
+Package: {{ package }}
+Pin: origin *
+Pin-Priority: -1
+
+{% endfor %}