diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go
index da105960eb..4f6f118610 100644
--- a/internal/uvm/create_wcow.go
+++ b/internal/uvm/create_wcow.go
@@ -505,7 +505,7 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error
 		devicesPhysicallyBacked: opts.FullyPhysicallyBacked,
 		vsmbNoDirectMap:         opts.NoDirectMap,
 		noWritableFileShares:    opts.NoWritableFileShares,
-		createOpts:              *opts,
+		createOpts:              opts,
 		blockCIMMounts:          make(map[string]*UVMMountedBlockCIMs),
 	}
 
diff --git a/internal/uvm/security_policy.go b/internal/uvm/security_policy.go
index 24ce7bae0b..ebd49dcec0 100644
--- a/internal/uvm/security_policy.go
+++ b/internal/uvm/security_policy.go
@@ -167,9 +167,9 @@ func (uvm *UtilityVM) InjectPolicyFragment(ctx context.Context, fragment *ctrdta
 // returns if this instance of the UtilityVM is created with confidential policy
 func (uvm *UtilityVM) HasConfidentialPolicy() bool {
 	switch opts := uvm.createOpts.(type) {
-	case OptionsWCOW:
+	case *OptionsWCOW:
 		return opts.SecurityPolicyEnabled
-	case OptionsLCOW:
+	case *OptionsLCOW:
 		return opts.SecurityPolicyEnabled
 	default:
 		panic("unexpected options type")
diff --git a/internal/uvm/start.go b/internal/uvm/start.go
index de8046f94d..b42e814624 100644
--- a/internal/uvm/start.go
+++ b/internal/uvm/start.go
@@ -339,8 +339,8 @@ func (uvm *UtilityVM) Start(ctx context.Context) (err error) {
 
 	if uvm.HasConfidentialPolicy() && uvm.OS() == "windows" {
 		copts := []WCOWConfidentialUVMOpt{
-			WithWCOWSecurityPolicy(uvm.createOpts.(OptionsWCOW).SecurityPolicy),
-			WithWCOWSecurityPolicyEnforcer(uvm.createOpts.(OptionsWCOW).SecurityPolicyEnforcer),
+			WithWCOWSecurityPolicy(uvm.createOpts.(*OptionsWCOW).SecurityPolicy),
+			WithWCOWSecurityPolicyEnforcer(uvm.createOpts.(*OptionsWCOW).SecurityPolicyEnforcer),
 		}
 		if err := uvm.SetWCOWConfidentialUVMOptions(ctx, copts...); err != nil {
 			return err