diff --git a/internal/tools/uvmboot/lcow.go b/internal/tools/uvmboot/lcow.go
index 6e2748efc6..f86d2bb9bc 100644
--- a/internal/tools/uvmboot/lcow.go
+++ b/internal/tools/uvmboot/lcow.go
@@ -41,6 +41,7 @@ const (
 	shareFilesArgName             = "share"
 	securityPolicyArgName         = "security-policy"
 	securityHardwareFlag          = "security-hardware"
+	noVerityBoot                  = "no-verity-boot"
 	securityPolicyEnforcerArgName = "security-policy-enforcer"
 )
 
@@ -105,6 +106,10 @@ var lcowCommand = cli.Command{
 			Name:  securityHardwareFlag,
 			Usage: "Use VMGS file to run on secure hardware. ('root-fs-type' must be set to 'none')",
 		},
+		cli.BoolFlag{
+			Name:  noVerityBoot,
+			Usage: "Do not use verity boot. (IMPORTANT: can only be used together with --security-hardware flag)",
+		},
 		cli.StringFlag{
 			Name:  execCommandLineArgName,
 			Usage: "Command to execute in the UVM.",
@@ -276,8 +281,16 @@ func createLCOWOptions(ctx context.Context, c *cli.Context, id string) (*uvm.Opt
 	}
 	if c.IsSet(securityHardwareFlag) {
 		options.GuestStateFilePath = vmutils.DefaultGuestStateFile
+		hclEnabled := false
+		options.HclEnabled = &hclEnabled
 		options.SecurityPolicyEnabled = true
+		options.BundleDirectory = os.TempDir()
 		options.AllowOvercommit = false
+
+		if !c.IsSet(noVerityBoot) {
+			options.DmVerityRootFsVhd = vmutils.DefaultDmVerityRootfsVhd
+			options.DmVerityMode = true
+		}
 	}
 
 	return options, nil