Send a shieldedInstanceConfig when provisioning the VM. Leave unchecked to let the boot image's defaults apply.

See the Shielded VM documentation.