Riot Vanguard drops always-on requirement for Windows 11 users

Key Takeaways

• Vanguard On-Demand loads the anti-cheat only when launching a Riot game and unloads it on exit
• The feature requires Windows 11 25H2, TPM 2.0, Secure Boot, VBS, HVCI, and IOMMU enabled
• About 35% of players already meet these requirements; the rest must enable settings manually in BIOS

Riot Games is ending Vanguard's controversial boot-time requirement after four years. Starting today, players on Windows 11 25H2 can switch to Vanguard On-Demand, a mode that loads the kernel-level anti-cheat only when launching a Riot game and unloads it when you quit. The catch: your PC must have a full security stack enabled, including features many gamers deliberately disable for performance.

Since Vanguard launched with Valorant in 2020, the driver has started at Windows boot and run continuously, whether you were playing or not. That always-on design gave Riot deep visibility into potential cheat software but sparked backlash from players uncomfortable with a gaming company's code running at Ring 0, the kernel level, around the clock.

What hardware and software does On-Demand mode require?

The new mode works only on PCs running Windows 11 25H2 with UEFI Secure Boot, TPM 2.0, Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), and IOMMU all switched on. Riot anti-cheat lead Phillip Koskinas said roughly 35% of players already clear that bar. About 3% run hardware that cannot meet the requirements at all.

Many prebuilt PCs and laptops sold in the past two years ship with these features enabled by default. For everyone else, enabling them means a trip into BIOS. Vanguard cannot flip these settings for you.

Riot calls the qualifying checklist Vanguard Pre-Check. Koskinas estimates the share of fully secured machines at 34.33% and rising one to two percentage points per month as older hardware ages out.

How does Riot detect cheats loaded before Vanguard starts?

The technical enabler is Microsoft's Runtime Driver Attestation Report, built with the Xbox OS Security team and new to Windows 11 25H2. It records every driver loaded since boot as a running, append-only hash stored in the TPM. The same measured-boot method already secures the Windows Boot Manager for boot-start drivers.

When a Riot game launches, Vanguard checks that attestation report to confirm no vulnerable driver slipped in while it sat idle. That closes the gap that forced the always-on design. Older Windows releases lack this reporting hook, which is why 25H2 is a hard requirement.

The performance trade-off gamers will have to weigh

VBS and HVCI are likely to become sticking points. Both run parts of the kernel inside a hardware-isolated enclave, and benchmarks have long shown a small but noticeable degradation to frame rate. That's why many competitive players leave them off.

Turning VBS on also activates Microsoft's vulnerable driver blocklist, which can disable older peripheral drivers. If your RGB controller or capture card relies on an outdated driver, you may find it blocked.

Riot says it is not forcing anyone to change. Players can leave Vanguard in its existing always-on mode. The company is willing to wait until the ecosystem matures before pushing harder.

Riot's long push for stricter Windows security

Riot has spent years using Vanguard to enforce a baseline security stack. It began requiring TPM 2.0 and Secure Boot on Windows 11 in 2020. When the company brought Vanguard to League of Legends in 2024, the backlash intensified.

In December, Riot flagged a pre-boot motherboard flaw across Asus, Gigabyte, MSI, and ASRock boards. Last month, a Vanguard update bricked DMA cheat hardware, likely tied to stricter IOMMU enforcement. The company has been aggressive, and that aggression has built trust with competitive players while alienating privacy-conscious users.

On-Demand mode is a concession to critics who argued that always-on kernel access was overkill. It is also a bet that Microsoft's new attestation system is robust enough to fill the gap.

What this means for the anti-cheat industry

Kernel-level anti-cheat is standard in competitive shooters. Easy Anti-Cheat and BattlEye both operate at Ring 0. But Vanguard's boot-time requirement set it apart, and that distinction drew outsized scrutiny.

If Riot's On-Demand mode proves effective, it could pressure other anti-cheat vendors to follow. The Windows 11 25H2 attestation report is available to any developer willing to require the same security stack. Whether players will tolerate those requirements is another question.

Frequently Asked Questions

Does Vanguard still run at kernel level in On-Demand mode?

Yes. Vanguard still operates as a Ring 0 kernel driver. The difference is that it loads only when you launch a Riot game and unloads when you exit, rather than running from boot until shutdown.

Can I use On-Demand mode on Windows 10?

No. The feature requires Windows 11 version 25H2 because it depends on Microsoft's Runtime Driver Attestation Report, which is not available on older Windows releases.

Will enabling VBS and HVCI hurt my gaming performance?

Benchmarks show a small but measurable frame rate drop with VBS and HVCI enabled. The impact varies by game and hardware, but competitive players often disable these features for that reason.

What happens if my PC does not meet the requirements?

You can continue using Vanguard in its existing always-on mode. Riot is not forcing anyone to switch, and about 3% of players have hardware that cannot meet the requirements at all.

How do I enable the required security features?

Most settings are in your UEFI/BIOS. You will need to enable Secure Boot, TPM 2.0, VBS, HVCI, and IOMMU. The exact steps vary by motherboard manufacturer.

Source: Latest from Tom's Hardware