diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index e5110db7..4d6f6049 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -1720,6 +1720,9 @@ if grep -q "^archipelago:[!*]" /mnt/target/etc/shadow 2>/dev/null; then
 fi
 echo "   Passwords set for archipelago and root users"
 
+# Remove shim-signed before grub-install to prevent hooks re-creating shim files
+chroot /mnt/target dpkg --purge shim-signed shim-helpers-amd64-signed shim-helpers-arm64-signed 2>/dev/null || true
+
 # UEFI boot: install to fallback path (/EFI/BOOT/BOOTX64.EFI) for maximum compatibility
 echo "   Installing UEFI bootloader..."
 if chroot /mnt/target grub-install --target=${GRUB_TARGET} --efi-directory=/boot/efi --bootloader-id=archipelago --removable; then
@@ -1754,6 +1757,14 @@ for shim_file in shimx64.efi mmx64.efi fbx64.efi BOOTX64.CSV shimaa64.efi mmaa64
 done
 # Also remove vendor-specific EFI directory (shim creates /EFI/archipelago/)
 rm -rf "/mnt/target/boot/efi/EFI/archipelago" 2>/dev/null || true
+# Nuclear cleanup: remove everything except the GRUB binary from EFI/BOOT
+if [ -d "$EFI_BOOT_DIR" ]; then
+    for f in "$EFI_BOOT_DIR"/*; do
+        [ "$(basename "$f")" = "$EFI_BOOT_BINARY" ] && continue
+        [ "$(basename "$f")" = "grub.cfg" ] && continue
+        rm -f "$f" 2>/dev/null && echo "   Removed: $(basename "$f")"
+    done
+fi
 if [ -f "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" ]; then
     echo "   ✅ UEFI boot binary present: $EFI_BOOT_DIR/$EFI_BOOT_BINARY"
     ls -la "$EFI_BOOT_DIR/"