diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript
index f1664ee..1c4ea5e 100644
--- a/debian/security-misc.maintscript
+++ b/debian/security-misc.maintscript
@@ -3,9 +3,6 @@
 
 rm_conffile /etc/sudoers.d/umask-security-misc
 
-## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
-rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg
-
 ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
 rm_conffile /etc/sysctl.d/sysrq.conf
 
diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg
new file mode 100644
index 0000000..5441292
--- /dev/null
+++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg
@@ -0,0 +1,4 @@
+## Requires every module to be signed before being loaded.
+## Any module that is unsigned or signed with an invalid key cannot be loaded.
+## This makes it harder to load a malicious module.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"