diff --git a/lmn-desktop.yml b/lmn-desktop.yml
index c470094..20f6482 100644
--- a/lmn-desktop.yml
+++ b/lmn-desktop.yml
@@ -25,6 +25,8 @@
     domain: "{{ ansible_domain }}"
     kerberize_uris: steinbeis.schule
     rsyncsecret: Muster!
+    ## Use grub-mkpasswd-pbkdf2 to calculate the password hash:
+    grub_pwd: 'grub.pbkdf2.sha512.10000.FB60266F69FB181327AFB76193192454FC64151559EFF4D6B8FB7C7904A2A9C4778EDD515B46F770DB6A009F36903C193917BBBC571C5B6AAB2A69208BE01A6E.7B82114A0239C0EC55A50E95C48FA74A8910DEE4088447786DAB35770B9C2CF2D1550CF3B7452155EB55D5F84E5D357BF12B8D299CF9B01BF5D71D516CF826DB'
     nfs4: false
     extra_pkgs:
       - vim
diff --git a/roles/lmn_kde/tasks/main.yml b/roles/lmn_kde/tasks/main.yml
index 58df607..fb9d98b 100644
--- a/roles/lmn_kde/tasks/main.yml
+++ b/roles/lmn_kde/tasks/main.yml
@@ -155,7 +155,15 @@
   command: sync-vm.sh -t
   ## FIXME: do not run every time
 
-################# from kiosk.yml ##################
+################# general settings ##################
+- name: Protect grub menu entries
+  blockinfile:
+    path: /etc/grub.d/40_custom
+    block: |
+      set superusers='root'
+      password_pbkdf2 root {{ grub_pwd }}
+  notify: update grub
+
 - name: grub timeout
   lineinfile:
     dest: /etc/default/grub