diff --git a/module/post-fs-data.sh b/module/post-fs-data.sh
index 6196daf..42a4ccf 100644
--- a/module/post-fs-data.sh
+++ b/module/post-fs-data.sh
@@ -7,3 +7,37 @@ fi
 if [ -d /data/adb/modules/safetynet-fix ]; then
     touch /data/adb/modules/safetynet-fix/remove
 fi
+
+# Conditional early sensitive properties
+
+resetprop_if_diff() {
+    local NAME=$1
+    local EXPECTED=$2
+    local CURRENT=$(resetprop $NAME)
+
+    [ -z "$CURRENT" ] || [ "$CURRENT" == "$EXPECTED" ] || resetprop $NAME $EXPECTED
+}
+resetprop_if_match() {
+    local NAME=$1
+    local CONTAINS=$2
+    local VALUE=$3
+
+    [[ "$(resetprop $NAME)" == *"$CONTAINS"* ]] && resetprop $NAME $VALUE
+}
+
+# RootBeer, Microsoft
+resetprop_if_diff ro.build.tags release-keys
+
+# Samsung
+resetprop_if_diff ro.boot.warranty_bit 0
+resetprop_if_diff ro.vendor.boot.warranty_bit 0
+resetprop_if_diff ro.vendor.warranty_bit 0
+resetprop_if_diff ro.warranty_bit 0
+
+# OnePlus
+resetprop_if_diff ro.is_ever_orange 0
+
+# Other
+resetprop_if_diff ro.build.type user
+resetprop_if_diff ro.debuggable 0
+resetprop_if_diff ro.secure 1
diff --git a/module/service.sh b/module/service.sh
index 745e296..5cf3d4b 100644
--- a/module/service.sh
+++ b/module/service.sh
@@ -15,33 +15,15 @@ resetprop_if_match() {
     [[ "$(resetprop $NAME)" == *"$CONTAINS"* ]] && resetprop $NAME $VALUE
 }
 
-# RootBeer, Microsoft
-resetprop_if_diff ro.build.tags release-keys
-
-# Samsung
-resetprop_if_diff ro.boot.warranty_bit 0
-resetprop_if_diff ro.vendor.boot.warranty_bit 0
-resetprop_if_diff ro.vendor.warranty_bit 0
-resetprop_if_diff ro.warranty_bit 0
-
-# OnePlus
-resetprop_if_diff ro.is_ever_orange 0
-
-# Other
-resetprop_if_diff ro.build.type user
-resetprop_if_diff ro.debuggable 0
-resetprop_if_diff ro.secure 1
-
 # Magisk recovery mode
 resetprop_if_match ro.bootmode recovery unknown
 resetprop_if_match ro.boot.mode recovery unknown
 resetprop_if_match vendor.boot.mode recovery unknown
 
 # SELinux
-if [ -n "$(getprop ro.build.selinux)" ]; then
-	resetprop --delete ro.build.selinux
+if [ -n "$(resetprop ro.build.selinux)" ]; then
+    resetprop --delete ro.build.selinux
 fi
-
 # use toybox to protect *stat* access time reading
 if [ "$(toybox cat /sys/fs/selinux/enforce)" == "0" ]; then
     chmod 640 /sys/fs/selinux/enforce