diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix
index e73636f..065c8fd 100644
--- a/wfvm/autounattend.nix
+++ b/wfvm/autounattend.nix
@@ -155,14 +155,10 @@ let
             </RunSynchronousCommand>
             <RunSynchronousCommand wcm:action="add">
               <Order>2</Order>
-              <Path>reg add HKLM\System\Setup\LabConfig /v BypassSecureBootCheck /t reg_dword /d 0x00000001 /f</Path>
-            </RunSynchronousCommand>
-            <RunSynchronousCommand wcm:action="add">
-              <Order>3</Order>
               <Path>reg add HKLM\System\Setup\LabConfig /v BypassRAMCheck /t reg_dword /d 0x00000001 /f</Path>
             </RunSynchronousCommand>
             <RunSynchronousCommand wcm:action="add">
-              <Order>5</Order>
+              <Order>3</Order>
               <Path>reg add HKLM\System\Setup\LabConfig /v BypassCPUCheck /t reg_dword /d 0x00000001 /f</Path>
             </RunSynchronousCommand>
             <RunSynchronousCommand wcm:action="add">
diff --git a/wfvm/utils.nix b/wfvm/utils.nix
index 7138d0b..fa5ea78 100644
--- a/wfvm/utils.nix
+++ b/wfvm/utils.nix
@@ -4,18 +4,22 @@ rec {
   # qemu_test is a smaller closure only building for a single system arch
   qemu = pkgs.qemu;
 
+  OVMF = pkgs.OVMF.override {
+    secureBoot = true;
+  };
+
   mkQemuFlags = extraFlags: [
     "-enable-kvm"
     "-cpu host"
     "-smp ${cores}"
     "-m ${qemuMem}"
-    "-M q35"
+    "-M q35,smm=on"
     "-vga qxl"
     "-rtc base=${baseRtc}"
     "-device qemu-xhci"
     "-device virtio-net-pci,netdev=n1"
   ] ++ pkgs.lib.optionals efi [
-    "-bios ${pkgs.OVMF.fd}/FV/OVMF.fd"
+    "-bios ${OVMF.fd}/FV/OVMF.fd"
   ] ++ extraFlags;
 
   # Pass empty config file to prevent ssh from failing to create ~/.ssh