Riot Games has introduced an optional on-demand mode for its Vanguard anti-cheat. The kernel-level driver no longer loads at system start for players who meet the Pre-Check security requirements on Windows 11 25H2.
Riot Games rolled out on-demand mode for its Vanguard anti-cheat on 24 June 2026, ending the always-on boot behaviour the kernel driver has maintained since its launch in 2020. Players running VALORANT or League of Legends on a sufficiently secured Windows 11 PC can now have Vanguard load only when a Riot title launches and shut down the moment gameplay ends. According to Riot’s anti-cheat lead Phillip Koskinas, roughly 35 per cent of all players already meet the hardware requirements and can switch immediately after updating.
Why Vanguard Ran at System Start Until Now
Vanguard’s kernel-mode driver, vgk.sys, loaded the moment Windows booted. The reason was what Koskinas calls the “Who Loads First?” problem. If the anti-cheat only started with the game, a cheater could load a vulnerable driver before it, gain kernel access, and hide from anything that loaded afterwards. By starting at boot, Vanguard maintained a continuous chain of trust, blocking known vulnerable drivers and confirming that kernel space had not been compromised before the game launched.
This design was effective but deeply unpopular. Unlike most competing anti-cheat solutions that only run while a game is active, Vanguard stayed in the system tray at all times. Privacy concerns, performance questions, and the principle of a game’s security software running 24/7 made it one of the most debated topics in competitive gaming since 2020.
How On-Demand Mode Works
With on-demand mode enabled, Vanguard’s driver component does not launch when Windows starts. It loads only when a Riot game opens and unloads on exit. This is made possible by a feature Microsoft developed in collaboration with its Xbox OS Security team: the Runtime Driver Attestation Report, introduced in Windows 11 25H2. This service measures every on-demand driver into the TPM (Trusted Platform Module) as an append-only hash since boot, similar to how the Windows Boot Manager already handles boot-start drivers. When Vanguard starts with the game, it reads this attestation report to confirm no vulnerable driver slipped in while it was inactive.
Because the hash can only be extended and never modified without breaking the chain of trust, cheaters cannot retroactively hide driver activity. This effectively closes the gap that forced the always-on design in the first place.
Vanguard Pre-Check Requirements
On-demand mode is gated behind a set of hardware and software security features Riot calls “Vanguard Pre-Check.” All of the following must be enabled:
| Requirement | Purpose |
|---|---|
| Windows 11 25H2 or later | Minimum OS version; required for the Runtime Driver Attestation Report |
| UEFI Secure Boot | Verifies the Windows bootloader and blocks bootkits during load |
| TPM 2.0 | On-board cryptoprocessor that stores keys and backs driver attestation |
| VBS and HVCI | Isolates secure memory and verifies kernel code before execution |
| IOMMU | Acts as a firewall between PCIe devices and system memory, blocking DMA abuse |
Most of these are UEFI-level settings that Vanguard cannot change on your behalf. They must be enabled manually through BIOS. Newer PCs often ship with these features turned on by default, which is why a significant chunk of the player base already qualifies.
How to Check if Your PC Is Eligible
After updating, Vanguard’s system tray application displays a new Pre-Check panel. It lists every requirement and shows which ones your system already satisfies. Clicking any unmet requirement redirects you to the relevant support documentation.
For a quick manual check on the two most common requirements:
- Press Win + R, type tpm.msc, and press Enter. The specification version should read 2.0.
- Press Win + R, type msinfo32, and press Enter. Look for Secure Boot State: On and BIOS Mode: UEFI.
If either setting is off, it usually means the feature is disabled in firmware rather than missing from your hardware.
Enabling TPM 2.0 and Secure Boot in BIOS
The exact menu layout varies by motherboard manufacturer, but the general steps are consistent:
- Shut down completely and restart. Press Delete, F2, or F10 during the splash screen to enter BIOS/UEFI setup.
- Intel platforms: Navigate to Advanced or Security. Find “Intel Platform Trust Technology (PTT)” and set it to Enabled.
- AMD platforms: Navigate to Advanced, CPU Configuration, or Trusted Computing. Enable “fTPM” or “Security Device Support.”
- For Secure Boot, go to the Boot or Security tab and enable “Secure Boot.” If CSM (Compatibility Support Module) is active, disable it first, as Secure Boot requires UEFI boot mode.
- Save changes and exit.
Koskinas notes in Riot’s official post that navigating BIOS “can be kinda tricky, ranging anywhere from intimidating to incomprehensible.” Always consult your motherboard manufacturer’s documentation before making changes.
Is On-Demand Mode Mandatory?
No. Riot has been emphatic about this point. On-demand mode is entirely optional. Players who take no action will continue running Vanguard exactly as before, with the driver starting at boot. The pre-existing behaviour remains the default. On-demand is an opt-in incentive for those who want the anti-cheat to be less persistent.
How Many Players Can Use It Right Now?
Riot’s data shows roughly 35 per cent of players already satisfy all Pre-Check requirements. These players see the on-demand toggle after their next update. The majority of remaining players have supported hardware but need to enable certain UEFI settings manually. Only about 3 per cent of the player base is on hardware that cannot support one or more requirements at all. For those players, Vanguard continues to operate in its traditional always-on mode.
The secured-player percentage is growing by approximately 1 to 2 percentage points per month as hardware ages out and newer machines enter the ecosystem.
What About Anti-Cheat Effectiveness?
Riot’s published statistics indicate that cheaters infect about 0.7 per cent of all PC ranked matches across VALORANT and League of Legends. The dominant cheat vectors are kernel-level exploits, DMA hardware, and pixel-based aimbots. Cheaters deliberately disable the same security features Pre-Check requires: Secure Boot, TPM, VBS, and IOMMU. By making these features the gateway to on-demand mode, Riot creates a trust-segmentation layer where secured players are separated from less secure environments.
Koskinas revealed that the TPM’s Endorsement Key is physically burned into hardware at the factory. If Riot bans that key, replacing it on firmware-based TPMs (fTPM) requires replacing the CPU itself, making hardware bans far more punishing for repeat offenders.
Does This Change Anything About Kernel-Level Access?
No. On-demand mode changes when the driver runs, not how it runs. While active, Vanguard still operates at kernel level (Ring 0). It still requires a system reboot after initial installation, and it still performs the same integrity checks on game memory. The fundamental architecture is unchanged; only the idle-state persistence is removed for eligible players.
Linux and Mac Support
On-demand mode does not extend Vanguard to new platforms. VALORANT remains unsupported on Linux and macOS. League of Legends can technically run on Linux through community tools, but Vanguard blocks that path. This update is strictly a Windows 11 feature.
What Players Usually Want to Know
Will on-demand mode hurt my FPS or cause performance issues?
Enabling VBS and HVCI can have a small performance overhead on some systems, as these features use hardware virtualisation. However, most modern PCs shipped after 2022 already have them enabled by default with negligible impact. Riot does not claim any performance difference from on-demand mode itself.
Can I switch back to always-on mode after enabling on-demand?
Yes. The toggle works both ways. If you prefer Vanguard to keep running at boot, you can revert at any time through the system tray application.
Does this work on Windows 10?
No. The Runtime Driver Attestation Report exists only in Windows 11 25H2 and later. Riot’s data also shows that older Windows versions have significantly higher cheat rates due to missing security APIs and known kernel exploits.
What if my hardware does not support TPM 2.0?
If your CPU lacks firmware TPM support and you do not have a discrete TPM 2.0 module, you cannot meet the Pre-Check requirements. Vanguard will continue operating in its traditional always-on mode. No action is needed, and your gameplay is not affected.
For more on the VALORANT and League of Legends ecosystem, including account tools and marketplace options, you can explore the Valorant accounts section or the League of Legends accounts page on GamerMarkt.
