diff --git a/pillar/top.sls b/pillar/top.sls
index 131b39a99..9ae7e1e44 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -16,6 +16,8 @@ base:
     - sensoroni.adv_sensoroni
     - telegraf.soc_telegraf
     - telegraf.adv_telegraf
+    - versionlock.soc_versionlock
+    - versionlock.adv_versionlock
 
   '* and not *_desktop':
     - firewall.soc_firewall
diff --git a/salt/versionlock/defaults.yaml b/salt/versionlock/defaults.yaml
new file mode 100644
index 000000000..b7bce6c48
--- /dev/null
+++ b/salt/versionlock/defaults.yaml
@@ -0,0 +1,3 @@
+versionlock:
+  kernel: False
+  hold: []
diff --git a/salt/versionlock/init.sls b/salt/versionlock/init.sls
new file mode 100644
index 000000000..ac27d69d7
--- /dev/null
+++ b/salt/versionlock/init.sls
@@ -0,0 +1,13 @@
+{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %}
+
+{% for pkg in VERSIONLOCKMERGED.hold %}
+{{pkg}}_held:
+  pkg.held:
+    - name: {{pkg}}
+{% endfor %}
+
+{% for pkg in VERSIONLOCKMERGED.UNHOLD %}
+{{pkg}}_unheld:
+  pkg.unheld:
+    - name: {{pkg}}
+{% endfor %}
diff --git a/salt/versionlock/map.jinja b/salt/versionlock/map.jinja
new file mode 100644
index 000000000..79ef1c45c
--- /dev/null
+++ b/salt/versionlock/map.jinja
@@ -0,0 +1,32 @@
+{% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %}
+{% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %}
+{% set HELD = salt['pkg.list_holds']() %}
+
+{% set PACKAGES_HELD_IN_OTHER_STATES = [
+   'salt',
+   'salt-master',
+   'salt-minion',
+   'containerd.io',
+   'docker-ce',
+   'docker-ce-cli',
+   'docker-ce-rootless-extras'
+] %}
+
+{% if VERSIONLOCKMERGED.kernel %}
+    {% do VERSIONLOCKMERGED['hold'].append('kernel') %}
+{% endif %}
+
+{# remove packages held in other states from hold list #}
+{% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %}
+
+{% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %}
+
+{# if a package is currently held but not set to be held, unhold it #}
+{% for item in HELD %}
+    {% set base_name = item.rsplit('-', 2)[0] %}
+    {% if base_name not in VERSIONLOCKMERGED['hold']
+       and base_name not in PACKAGES_HELD_IN_OTHER_STATES
+       and base_name not in VERSIONLOCKMERGED['UNHOLD'] %}
+        {% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %}
+    {% endif %}
+{% endfor %}
diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml
new file mode 100644
index 000000000..b5f25c3a7
--- /dev/null
+++ b/salt/versionlock/soc_versionlock.yaml
@@ -0,0 +1,10 @@
+versionlock:
+  kernel:
+    description: Lock the kernel to prevent upgrade.
+    global: True
+    forcedType: bool
+  hold:
+    description: List of packages to hold
+    global: True
+    forcedType: "[]string"
+    multiline: True