diff --git a/subiquity/cmd/server.py b/subiquity/cmd/server.py
index fc9a1df1..e7edc7ff 100644
--- a/subiquity/cmd/server.py
+++ b/subiquity/cmd/server.py
@@ -129,6 +129,13 @@ def make_server_args_parser():
         default=".subiquity",
         help="in dryrun, control basedir of files",
     )
+    parser.add_argument(
+        "--no-enhanced-secureboot",
+        dest="enhanced_secureboot",
+        action="store_false",
+        default=True,
+    )
+
     parser.add_argument("--storage-version", action="store", type=int)
     parser.add_argument("--use-os-prober", action="store_true", default=False)
     parser.add_argument(
diff --git a/subiquity/server/controllers/filesystem.py b/subiquity/server/controllers/filesystem.py
index ce876819..af92df4b 100644
--- a/subiquity/server/controllers/filesystem.py
+++ b/subiquity/server/controllers/filesystem.py
@@ -373,6 +373,9 @@ class FilesystemController(SubiquityController, FilesystemManipulator):
                 system = await self._get_system(name, label)
             log.debug("got system %s for variation %s", system, name)
             if system is not None and len(system.volumes) > 0:
+                if not self.app.opts.enhanced_secureboot:
+                    log.debug("Not offering enhanced_secureboot: commandline disabled")
+                    continue
                 info = self.info_for_system(name, label, system)
                 if info is not None:
                     self._variation_info[name] = info
@@ -607,6 +610,10 @@ class FilesystemController(SubiquityController, FilesystemManipulator):
         disk = self.model._one(id=choice.target.disk_id)
 
         if self.is_core_boot_classic():
+            if not self.app.opts.enhanced_secureboot:
+                raise ValueError(
+                    "Not using enhanced_secureboot: disabled on commandline"
+                )
             assert isinstance(choice.target, GuidedStorageTargetReformat)
             self.use_tpm = choice.capability == GuidedCapability.CORE_BOOT_ENCRYPTED
             await self.guided_core_boot(disk)
diff --git a/subiquity/tests/api/test_api.py b/subiquity/tests/api/test_api.py
index b3abe185..f76fcd2e 100644
--- a/subiquity/tests/api/test_api.py
+++ b/subiquity/tests/api/test_api.py
@@ -644,6 +644,34 @@ class TestCore(TestAPI):
             self.assertDictSubset(dict(mount=None), p3)
             self.assertDictSubset(dict(mount="/"), p4)
 
+    @timeout()
+    async def test_basic_core_boot_cmdline_disable(self):
+        cfg = self.machineConfig("examples/machines/simple.json")
+        with cfg.edit() as data:
+            attrs = data["storage"]["blockdev"]["/dev/sda"]["attrs"]
+            attrs["size"] = str(25 << 30)
+        kw = dict(
+            bootloader="uefi",
+            extra_args=[
+                "--storage-version",
+                "2",
+                "--source-catalog",
+                "examples/sources/install-canary.yaml",
+                "--dry-run-config",
+                "examples/dry-run-configs/tpm.yaml",
+                "--no-enhanced-secureboot",
+            ],
+        )
+        async with start_server(cfg, **kw) as inst:
+            await inst.post("/source", source_id="ubuntu-desktop")
+            resp = await inst.get("/storage/v2/guided", wait=True)
+            [reformat, manual] = resp["targets"]
+            for capability in reformat["allowed"]:
+                self.assertNotIn("CORE_BOOT", capability)
+            data = dict(target=reformat, capability="CORE_BOOT_ENCRYPTED")
+            with self.assertRaises(ClientResponseError):
+                await inst.post("/storage/v2/guided", data)
+
 
 class TestAdd(TestAPI):
     @timeout()