diff --git a/pytest_fixtures/component/provision_pxe.py b/pytest_fixtures/component/provision_pxe.py
index 43184e6f323..bdfc384fe22 100644
--- a/pytest_fixtures/component/provision_pxe.py
+++ b/pytest_fixtures/component/provision_pxe.py
@@ -311,6 +311,7 @@ def pxe_loader(request):
         'uefi': {'vm_firmware': 'uefi', 'pxe_loader': 'Grub2 UEFI'},
         'ipxe': {'vm_firmware': 'bios', 'pxe_loader': 'iPXE Embedded'},
         'http_uefi': {'vm_firmware': 'uefi', 'pxe_loader': 'Grub2 UEFI HTTP'},
+        'secureboot': {'vm_firmware': 'uefi_secureboot', 'pxe_loader': 'Grub2 UEFI SecureBoot'},
     }
     return Box(PXE_LOADER_MAP[getattr(request, 'param', 'bios')])
 
diff --git a/tests/foreman/api/test_provisioning.py b/tests/foreman/api/test_provisioning.py
index f03a4b51f50..e92dc8298f8 100644
--- a/tests/foreman/api/test_provisioning.py
+++ b/tests/foreman/api/test_provisioning.py
@@ -19,6 +19,7 @@
 from wait_for import TimedOutError, wait_for
 
 from robottelo.config import settings
+from robottelo.hosts import get_sat_rhel_version
 from robottelo.logging import logger
 from robottelo.utils.installer import InstallerCommand
 from robottelo.utils.issue_handlers import is_open
@@ -592,6 +593,117 @@ def test_rhel_pxe_provisioning_fips_enabled(
     assert provisioning_host.subscribed, 'Host is not subscribed'
 
 
+@pytest.mark.e2e
+@pytest.mark.upgrade
+@pytest.mark.on_premises_provisioning
+@pytest.mark.parametrize('pxe_loader', ['secureboot'], indirect=True)
+@pytest.mark.rhel_ver_match([get_sat_rhel_version().major])
+def test_rhel_pxe_provisioning_secureboot_enabled(
+    request,
+    module_provisioning_sat,
+    provisioning_host,
+    pxe_loader,
+    module_sca_manifest_org,
+    module_location,
+    module_provisioning_rhel_content,
+    provisioning_hostgroup,
+):
+    """Simulate Secureboot baremetal provisioning of a RHEL system via PXE on RHV provider
+
+    :id: 8b33f545-c4a8-428d-8fd8-a5e402c8cd23
+
+    :steps:
+        1. Provision RHEL system via PXE on RHV
+        2. Check that resulting host is registered to Satellite
+        3. Check host is subscribed to Satellite
+
+    :expectedresults:
+        1. Host installs right version of RHEL
+        2. Host is registered to Satellite and subscription status is 'Success'
+        3. Secureboot is enabled on the host
+
+    :Verifies: SAT-23035
+
+    :customerscenario: true
+
+    :parametrized: yes
+    """
+    host_mac_addr = provisioning_host._broker_args['provisioning_nic_mac_addr']
+    sat = module_provisioning_sat.sat
+    host = sat.api.Host(
+        hostgroup=provisioning_hostgroup,
+        organization=module_sca_manifest_org,
+        location=module_location,
+        name=gen_string('alpha').lower(),
+        mac=host_mac_addr,
+        operatingsystem=module_provisioning_rhel_content.os,
+        subnet=module_provisioning_sat.subnet,
+        host_parameters_attributes=[
+            {'name': 'remote_execution_connect_by_ip', 'value': 'true', 'parameter_type': 'boolean'}
+        ],
+        build=True,  # put the host in build mode
+    ).create(create_missing=False)
+    # Clean up the host to free IP leases on Satellite.
+    # broker should do that as a part of the teardown, putting here just to make sure.
+    request.addfinalizer(lambda: sat.provisioning_cleanup(host.name))
+
+    # Start the VM, do not ensure that we can connect to SSHD
+    provisioning_host.power_control(ensure=False)
+
+    # TODO: Implement Satellite log capturing logic to verify that
+    # all the events are captured in the logs.
+
+    # Host should do call back to the Satellite reporting
+    # the result of the installation. Wait until Satellite reports that the host is installed.
+    wait_for(
+        lambda: host.read().build_status_label != 'Pending installation',
+        timeout=1500,
+        delay=10,
+    )
+    host = host.read()
+    assert host.build_status_label == 'Installed'
+
+    # Change the hostname of the host as we know it already.
+    # In the current infra environment we do not support
+    # addressing hosts using FQDNs, falling back to IP.
+    provisioning_host.hostname = host.ip
+    # Host is not blank anymore
+    provisioning_host.blank = False
+
+    import time
+
+    time.sleep(20000)
+    # Wait for the host to be rebooted and SSH daemon to be started.
+    provisioning_host.wait_for_connection()
+
+    # Perform version check and check if root password is properly updated
+    host_os = host.operatingsystem.read()
+    expected_rhel_version = f'{host_os.major}.{host_os.minor}'
+
+    if int(host_os.major) >= 9:
+        assert (
+            provisioning_host.execute(
+                'echo -e "\nPermitRootLogin yes" >> /etc/ssh/sshd_config; systemctl restart sshd'
+            ).status
+            == 0
+        )
+    host_ssh_os = sat.execute(
+        f'sshpass -p {settings.provisioning.host_root_password} '
+        'ssh -o StrictHostKeyChecking=no -o PubkeyAuthentication=no -o PasswordAuthentication=yes '
+        f'-o UserKnownHostsFile=/dev/null root@{provisioning_host.hostname} cat /etc/redhat-release'
+    )
+    assert host_ssh_os.status == 0
+    assert (
+        expected_rhel_version in host_ssh_os.stdout
+    ), 'Different than the expected OS version was installed'
+
+    # Verify host is subscribed and consumes subsctiption provided by the activation key
+    assert provisioning_host.subscribed, 'Host is not subscribed'
+
+    # Verify SecureBoot is enabled on host after provisioning is completed sucessfully
+    assert 'SecureBoot enabled' in provisioning_host.execute('mokutil --sb-state').stdout
+
+
 @pytest.mark.e2e
 @pytest.mark.parametrize('pxe_loader', ['bios', 'uefi'], indirect=True)
 @pytest.mark.skip(reason='Skipping till we have destructive support')