diff --git a/roles/lmn_fvs/files/bootorder.sh b/roles/lmn_fvs/files/bootorder.sh
new file mode 100644
index 0000000..a0fb6cd
--- /dev/null
+++ b/roles/lmn_fvs/files/bootorder.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/bash
+#
+# fix boot order: first PXE, then Debian
+#
+set -eu
+
+cur="$(efibootmgr | grep -Ei 'BootOrder:' | \
+		     sed -E 's/^BootOrder: ([[:xdigit:]]{4}),.+$/\1/')"
+pxeip4="$(efibootmgr | grep -Ei "IP.*4" | \
+		     sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/')"
+debian="$(efibootmgr | grep -Ei "debian" | \
+		     sed -E 's/^Boot([[:xdigit:]]{4}).+$/\1/')"
+
+if [[ "$cur" != "$pxeip4" ]] && [[ -n "$pxeip4" ]] && [[ -n "$debian" ]] ; then
+    efibootmgr -o $pxeip4,$debian
+else
+    echo "Nothing to do."
+fi
diff --git a/roles/lmn_fvs/tasks/main.yml b/roles/lmn_fvs/tasks/main.yml
index 4c2b501..1629372 100644
--- a/roles/lmn_fvs/tasks/main.yml
+++ b/roles/lmn_fvs/tasks/main.yml
@@ -70,11 +70,14 @@
     dest: /etc/firefox-esr/policies/
 
 
-- name: Copy pwroff script
+- name: Copy pwroff and bootorder scripts
   copy:
-    src: pwroff
+    src: "{{ item }}"
     dest: /usr/local/sbin/
     mode: 0755
+  loop:
+    - pwroff
+    - bootorder.sh
 
 - name: Provide service and timer for pwroff script
   copy:
@@ -90,6 +93,10 @@
     name: pwroff.timer
     enabled: true
 
+- name: Fix boot order
+  command: /usr/local/sbin/bootorder.sh
+  register: cmd_result
+  changed_when: cmd_result.stdout is not search('Nothing to do.')
 
 - name: Copy dolphin config scripts
   ansible.builtin.copy: