diff --git a/roles/cleanup/tasks/libvirt.yml b/roles/cleanup/tasks/libvirt.yml
index 13b03d1..fd08b2d 100644
--- a/roles/cleanup/tasks/libvirt.yml
+++ b/roles/cleanup/tasks/libvirt.yml
@@ -94,6 +94,35 @@
         state: destroyed
       failed_when: false
 
+    - name: Enroll Secure Boot keys in VM NVRAM
+      when:
+        - system_cfg.features.secure_boot.enabled | default(false) | bool
+        - os != 'archlinux'
+      block:
+        - name: Find VM NVRAM file path
+          ansible.builtin.shell:
+            cmd: >-
+              set -o pipefail &&
+              virsh -c {{ libvirt_uri | default('qemu:///system') }} dumpxml {{ hostname }}
+              | grep -oP '<nvram[^>]*>\K[^<]+'
+            executable: /bin/bash
+          register: _sb_nvram_path
+          changed_when: false
+          failed_when: false
+
+        - name: Enroll Secure Boot keys via virt-fw-vars
+          when: _sb_nvram_path.stdout | default('') | length > 0
+          ansible.builtin.command:
+            argv:
+              - virt-fw-vars
+              - --inplace
+              - "{{ _sb_nvram_path.stdout | trim }}"
+              - --enroll-redhat
+              - --secure-boot
+          register: _sb_enroll_result
+          changed_when: _sb_enroll_result.rc == 0
+          failed_when: false
+
     - name: Start the VM
       community.libvirt.virt:
         name: "{{ hostname }}"
diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml
index ceb5f5c..1bb4fc9 100644
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -20,11 +20,16 @@
             | regex_replace('\\s+', '')
             | regex_replace('^\\+|\\+$', '')
           }}
+        _sb_pcr7_safe: >-
+          {{
+            system_cfg.features.secure_boot.enabled | bool
+            and system_cfg.type | default('virtual') != 'virtual'
+          }}
         luks_tpm2_pcrs: >-
           {{
             _raw_pcrs
             if _raw_pcrs | length > 0
-            else ('7' if (system_cfg.features.secure_boot.enabled | bool) else '')
+            else ('7' if (_sb_pcr7_safe | bool) else '')
           }}
       ansible.builtin.set_fact:
         configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
diff --git a/roles/configuration/tasks/secure_boot/shim.yml b/roles/configuration/tasks/secure_boot/shim.yml
index 76b6aea..5f8fe1d 100644
--- a/roles/configuration/tasks/secure_boot/shim.yml
+++ b/roles/configuration/tasks/secure_boot/shim.yml
@@ -8,9 +8,14 @@
       }}
   block:
     - name: Find shim binary in target system
-      ansible.builtin.command: >-
-        {{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
-        -name 'shimx64.efi*' -type f -print -quit
+      ansible.builtin.shell:
+        cmd: >-
+          set -o pipefail &&
+          {{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
+          \( -name 'shimx64.efi.signed.latest' -o -name 'shimx64.efi.dualsigned'
+          -o -name 'shimx64.efi.signed' -o -name 'shimx64.efi' \)
+          -type f | sort -r | head -1
+        executable: /bin/bash
       register: _shim_find_result
       changed_when: false
       failed_when: false