diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml
index 2ea9091..36db4a8 100644
--- a/roles/debian-base/defaults/main.yaml
+++ b/roles/debian-base/defaults/main.yaml
@@ -1,5 +1,6 @@
 vn_first_time: false
 vn_witness_checked: false
+grub_user: admin
 default_user: user
 fail2ban:
   email: "{{ sysadmin_mail }}"
diff --git a/roles/debian-base/tasks/grub_startup.yml b/roles/debian-base/tasks/grub_startup.yml
new file mode 100644
index 0000000..a47d03c
--- /dev/null
+++ b/roles/debian-base/tasks/grub_startup.yml
@@ -0,0 +1,48 @@
+# Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication.
+# Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template.
+# Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html
+# Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html
+# Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks
+# To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help.
+- name: GRUB edit unrestricted option
+  copy:
+    content: |
+      #!/bin/sh
+      exec tail -n +3 $0
+      # This file provides an easy way to add custom menu entries.  Simply type the
+      # menu entries you want to add after this comment.  Be careful not to change
+      # the 'exec tail' line above.
+      menuentry_id_option="--unrestricted $menuentry_id_option"
+    dest: /etc/grub.d/09_make_OS_entries_unrestricted
+    owner: root
+    group: root
+    checksum: fed5c365f11a919b857b78207565cf341b86082b
+    mode: u=rwx,g=rx,o=rx
+  register: grubunrestricted
+- name: Search grub password in Passbolt
+  set_fact:
+    grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}"
+- name: GRUB edit password protection
+  copy:
+    content: |
+      #!/bin/sh
+      exec tail -n +3 $0
+      set superusers="{{ grub_user }}"
+      password_pbkdf2 {{ grub_user }} {{ grub_code }}
+    dest: /etc/grub.d/00_before
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=rx
+  register: grubpass
+- name: Change GRUB_TIMEOUT from 5 to 1
+  copy:
+    content: |
+      GRUB_TIMEOUT=1
+    dest: /etc/default/grub.d/timeout.cfg
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  register: grubtime  
+- name: Generate GRUB configuration
+  command: update-grub
+  when: grubunrestricted.changed or grubpass.changed or grubtime.changed
diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml
index dcd5f94..bbdc17a 100644
--- a/roles/debian-base/tasks/main.yml
+++ b/roles/debian-base/tasks/main.yml
@@ -32,3 +32,5 @@
   tags: bacula
 - import_tasks: vn-repo.yml
   tags: vn-repo
+- import_tasks: grub_startup.yml
+  tags: grub_startup
diff --git a/roles/secure-grub/handlers/main.yml b/roles/secure-grub/handlers/main.yml
deleted file mode 100644
index 5b3125c..0000000
--- a/roles/secure-grub/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-- name: grub-register
-  command: update-grub
diff --git a/roles/secure-grub/tasks/main.yml b/roles/secure-grub/tasks/main.yml
deleted file mode 100644
index dd4acb3..0000000
--- a/roles/secure-grub/tasks/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-- name: GRUB boot password protection
-  blockinfile:
-    path: /etc/grub.d/40_custom
-    block: |
-      set superusers="{{ grub_user }}"
-      password_pbkdf2 {{ grub_user }} {{ grub_code }}
-  notify: grub-register
diff --git a/roles/secure-grub/vars/main.yaml b/roles/secure-grub/vars/main.yaml
deleted file mode 100644
index 875fc0c..0000000
--- a/roles/secure-grub/vars/main.yaml
+++ /dev/null
@@ -1 +0,0 @@
-grub_user: admin