diff --git a/shim.changes b/shim.changes
index 6f4d7dd..009e35e 100644
--- a/shim.changes
+++ b/shim.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Aug  5 05:25:16 UTC 2022 - Joey Lee <jlee@suse.com>
+
+- Add logic to shim.spec for detecting --set-sbat-policy option before
+  using mokutil to set sbat policy. (bsc#1202120)
+
 -------------------------------------------------------------------
 Fri Jul 29 02:36:36 UTC 2022 - Joey Lee <jlee@suse.com>
 
diff --git a/shim.spec b/shim.spec
index 1f99a89..cd3f90e 100644
--- a/shim.spec
+++ b/shim.spec
@@ -308,7 +308,8 @@ is_efi () {
 # run mokutil for setting sbat policy to latest mode
 SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23
 if is_efi; then
-        if [ ! -f "$SBAT_POLICY" ]; then
+        if [ ! -f "$SBAT_POLICY" ] && mokutil -h | grep -q "set-sbat-policy"; then
+        # Only apply CA check on the kernel package certs (bsc#1173115)
                 mokutil --set-sbat-policy latest
         fi
 fi