diff --git a/roles/configuration/tasks/bootloader.yml b/roles/configuration/tasks/bootloader.yml
index 2ffee6e..c0c842a 100644
--- a/roles/configuration/tasks/bootloader.yml
+++ b/roles/configuration/tasks/bootloader.yml
@@ -103,3 +103,17 @@
       ansible.builtin.command: "{{ chroot_command }} /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg"
       register: configuration_grub_result
       changed_when: configuration_grub_result.rc == 0
+
+    - name: Rebuild GRUB as standalone EFI for Secure Boot
+      when:
+        - system_cfg.features.secure_boot.enabled | default(false) | bool
+        - os == 'archlinux'
+      ansible.builtin.command: >-
+        {{ chroot_command }} grub-mkstandalone
+        -d /usr/lib/grub/x86_64-efi
+        -O x86_64-efi
+        --disable-shim-lock
+        -o {{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/grubx64.efi
+        boot/grub/grub.cfg=/boot/grub/grub.cfg
+      register: _grub_standalone_result
+      changed_when: _grub_standalone_result.rc == 0
diff --git a/roles/configuration/tasks/secure_boot/shim.yml b/roles/configuration/tasks/secure_boot/shim.yml
index 8a24c6a..76b6aea 100644
--- a/roles/configuration/tasks/secure_boot/shim.yml
+++ b/roles/configuration/tasks/secure_boot/shim.yml
@@ -20,28 +20,11 @@
         - _shim_find_result.stdout | default('') | length > 0
         - _configuration_platform.grub_install | bool
       ansible.builtin.command: >-
-        cp {{ _shim_find_result.stdout_lines | first }}
+        cp /mnt{{ _shim_find_result.stdout_lines | first }}
         /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
       register: _shim_copy_result
       changed_when: _shim_copy_result.rc == 0
 
-    - name: Enroll Secure Boot keys via efi-updatevar
-      when: system_cfg.type == 'virtual'
-      block:
-        - name: Check if efi-updatevar is available
-          ansible.builtin.command: which efi-updatevar
-          register: _efi_updatevar_check
-          changed_when: false
-          failed_when: false
-
-        - name: Enroll default UEFI Secure Boot keys
-          when: _efi_updatevar_check.rc == 0
-          ansible.builtin.command: >-
-            {{ chroot_command }} sbctl enroll-keys --microsoft
-          register: _sb_enroll_result
-          changed_when: _sb_enroll_result.rc == 0
-          failed_when: false
-
     - name: Verify shim is present
       ansible.builtin.stat:
         path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
@@ -51,7 +34,7 @@
       ansible.builtin.debug:
         msg: >-
           Secure Boot (shim): {{
-            'shimx64.efi installed'
+            'shimx64.efi installed at ' ~ partitioning_efi_mountpoint ~ '/EFI/' ~ _efi_vendor
             if (_shim_stat.stat.exists | default(false))
             else 'shimx64.efi not found, shim package may handle placement on first boot'
           }}
diff --git a/roles/virtualization/defaults/main.yml b/roles/virtualization/defaults/main.yml
index f7c2919..7c6c6f8 100644
--- a/roles/virtualization/defaults/main.yml
+++ b/roles/virtualization/defaults/main.yml
@@ -22,10 +22,10 @@ virtualization_libvirt_ovmf_vars: /usr/share/edk2/x64/OVMF_VARS.4m.fd
 
 virtualization_tpm2_enabled: >-
   {{
-    (system_cfg.luks.enabled | bool)
-    and (system_cfg.luks.auto | bool)
-    and (
-      (system_cfg.luks.method | lower)
-      == 'tpm2'
+    (
+      (system_cfg.luks.enabled | bool)
+      and (system_cfg.luks.auto | bool)
+      and (system_cfg.luks.method | lower == 'tpm2')
     )
+    or (system_cfg.features.secure_boot.enabled | default(false) | bool)
   }}