diff --git a/internal/oci/annotations.go b/internal/oci/annotations.go
index e8acdb6422..d56611162a 100644
--- a/internal/oci/annotations.go
+++ b/internal/oci/annotations.go
@@ -166,6 +166,9 @@ const (
 	// AnnotationVPMemNoMultiMapping indicates that we should disable LCOW vpmem layer multi mapping
 	AnnotationVPMemNoMultiMapping = "io.microsoft.virtualmachine.lcow.vpmem.nomultimapping"
 
+	// AnnotationKernelBootOptions is used to specify kernel options used while booting a linux kernel
+	AnnotationKernelBootOptions = "io.microsoft.virtualmachine.lcow.kernelbootoptions"
+
 	// AnnotationStorageQoSBandwidthMaximum indicates the maximum number of bytes per second. If `0`
 	// will default to the platform default.
 	AnnotationStorageQoSBandwidthMaximum = "io.microsoft.virtualmachine.storageqos.bandwidthmaximum"
diff --git a/internal/oci/uvm.go b/internal/oci/uvm.go
index 9ddae4b445..380795094c 100644
--- a/internal/oci/uvm.go
+++ b/internal/oci/uvm.go
@@ -330,6 +330,7 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (
 		lopts.CPUGroupID = parseAnnotationsString(s.Annotations, AnnotationCPUGroupID, lopts.CPUGroupID)
 		lopts.NetworkConfigProxy = parseAnnotationsString(s.Annotations, AnnotationNetworkConfigProxy, lopts.NetworkConfigProxy)
 		lopts.SecurityPolicy = parseAnnotationsString(s.Annotations, AnnotationSecurityPolicy, lopts.SecurityPolicy)
+		lopts.KernelBootOptions = parseAnnotationsString(s.Annotations, AnnotationKernelBootOptions, lopts.KernelBootOptions)
 
 		handleAnnotationPreferredRootFSType(ctx, s.Annotations, lopts)
 		handleAnnotationKernelDirectBoot(ctx, s.Annotations, lopts)
diff --git a/internal/uvm/create_lcow.go b/internal/uvm/create_lcow.go
index 192d16a95a..380cdccc84 100644
--- a/internal/uvm/create_lcow.go
+++ b/internal/uvm/create_lcow.go
@@ -355,6 +355,7 @@ func CreateLCOW(ctx context.Context, opts *OptionsLCOW) (_ *UtilityVM, err error
 		kernelArgs += " panic=-1 quiet"
 	}
 
+	// Add Kernel Boot options
 	if opts.KernelBootOptions != "" {
 		kernelArgs += " " + opts.KernelBootOptions
 	}
diff --git a/test/cri-containerd/runpodsandbox_test.go b/test/cri-containerd/runpodsandbox_test.go
index 8f1538628b..f5090f43ec 100644
--- a/test/cri-containerd/runpodsandbox_test.go
+++ b/test/cri-containerd/runpodsandbox_test.go
@@ -1327,3 +1327,32 @@ func createSandboxContainerAndExec(t *testing.T, annotations map[string]string,
 
 	return output, errorMsg, exitCode
 }
+
+func Test_RunPodSandbox_KernelOptions_LCOW(t *testing.T) {
+	requireFeatures(t, featureLCOW)
+
+	pullRequiredLcowImages(t, []string{imageLcowK8sPause, imageLcowAlpine})
+
+	annotations := map[string]string{
+		oci.AnnotationFullyPhysicallyBacked: "true",
+		oci.AnnotationMemorySizeInMB:        "2048",
+		oci.AnnotationKernelBootOptions:     "hugepagesz=2M hugepages=10",
+	}
+
+	hugePagesCmd := []string{"grep", "-i", "HugePages_Total", "/proc/meminfo"}
+	output, errorMsg, exitCode := createSandboxContainerAndExec(t, annotations, nil, hugePagesCmd)
+
+	if exitCode != 0 {
+		t.Fatalf("Exec into container failed with: %v and exit code: %d, %s", errorMsg, exitCode, t.Name())
+	}
+
+	splitOutput := strings.Split(output, ":")
+	numOfHugePages, err := strconv.Atoi(strings.TrimSpace(splitOutput[1]))
+	if err != nil {
+		t.Fatalf("Error happened while extracting number of hugepages: %v from output : %s", err, output)
+	}
+
+	if numOfHugePages != 10 {
+		t.Fatalf("Expected number of hugepages to be 10. Got output instead: %d", numOfHugePages)
+	}
+}
diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/oci/annotations.go b/test/vendor/github.com/Microsoft/hcsshim/internal/oci/annotations.go
index e8acdb6422..df8ee7b294 100644
--- a/test/vendor/github.com/Microsoft/hcsshim/internal/oci/annotations.go
+++ b/test/vendor/github.com/Microsoft/hcsshim/internal/oci/annotations.go
@@ -166,6 +166,9 @@ const (
 	// AnnotationVPMemNoMultiMapping indicates that we should disable LCOW vpmem layer multi mapping
 	AnnotationVPMemNoMultiMapping = "io.microsoft.virtualmachine.lcow.vpmem.nomultimapping"
 
+	// AnnotationKernelBootOptions is used to specify kernel options used while booting a linux kernerl
+	AnnotationKernelBootOptions = "io.microsoft.virtualmachine.lcow.kernelbootoptions"
+
 	// AnnotationStorageQoSBandwidthMaximum indicates the maximum number of bytes per second. If `0`
 	// will default to the platform default.
 	AnnotationStorageQoSBandwidthMaximum = "io.microsoft.virtualmachine.storageqos.bandwidthmaximum"
diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/oci/uvm.go b/test/vendor/github.com/Microsoft/hcsshim/internal/oci/uvm.go
index 9ddae4b445..380795094c 100644
--- a/test/vendor/github.com/Microsoft/hcsshim/internal/oci/uvm.go
+++ b/test/vendor/github.com/Microsoft/hcsshim/internal/oci/uvm.go
@@ -330,6 +330,7 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (
 		lopts.CPUGroupID = parseAnnotationsString(s.Annotations, AnnotationCPUGroupID, lopts.CPUGroupID)
 		lopts.NetworkConfigProxy = parseAnnotationsString(s.Annotations, AnnotationNetworkConfigProxy, lopts.NetworkConfigProxy)
 		lopts.SecurityPolicy = parseAnnotationsString(s.Annotations, AnnotationSecurityPolicy, lopts.SecurityPolicy)
+		lopts.KernelBootOptions = parseAnnotationsString(s.Annotations, AnnotationKernelBootOptions, lopts.KernelBootOptions)
 
 		handleAnnotationPreferredRootFSType(ctx, s.Annotations, lopts)
 		handleAnnotationKernelDirectBoot(ctx, s.Annotations, lopts)
diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/create_lcow.go b/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/create_lcow.go
index 192d16a95a..380cdccc84 100644
--- a/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/create_lcow.go
+++ b/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/create_lcow.go
@@ -355,6 +355,7 @@ func CreateLCOW(ctx context.Context, opts *OptionsLCOW) (_ *UtilityVM, err error
 		kernelArgs += " panic=-1 quiet"
 	}
 
+	// Add Kernel Boot options
 	if opts.KernelBootOptions != "" {
 		kernelArgs += " " + opts.KernelBootOptions
 	}
diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/security_policy.go b/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/security_policy.go
index e826b6d679..02af81d2b8 100644
--- a/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/security_policy.go
+++ b/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/security_policy.go
@@ -24,6 +24,10 @@ func (uvm *UtilityVM) SetSecurityPolicy(ctx context.Context, policy string) erro
 		return errNotSupported
 	}
 
+	if policy == "" {
+		return nil
+	}
+
 	uvm.m.Lock()
 	defer uvm.m.Unlock()