diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
index 27654cdc..aaa47da8 100755
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@@ -75,7 +75,12 @@ update_checksums()
     # We don't need them after the user decides to sign
     rm -f /boot/kexec_package_trigger*
 
-    kexec-sign-config -p /boot \
+    # sign and auto-roll config counter
+    extparam=
+    if [ "$CONFIG_TPM" = "y" ]; then
+      extparam=-u
+    fi
+    kexec-sign-config -p /boot $extparam \
     || die "Failed to sign default config"
 
     # switch back to ro mode