Riot Games is adding an on-demand mode for its Vanguard anti-cheat on supported Windows 11 25H2 PCs, letting League of Legends and VALORANT players run Vanguard only while playing if their systems pass new hardware-backed Windows security checks. The change is not a retreat from kernel anti-cheat so much as a shift in who does the watching. Microsoft is now giving Riot a cryptographic trail of what entered the kernel before Vanguard arrived. For Windows users who have distrusted an always-on game security driver for years, that distinction matters.
Vanguard’s original bargain was brutally simple: if cheats can compromise Windows before a game launches, the anti-cheat has to be awake before the cheats are. That is why Vanguard became infamous for starting with the operating system rather than with VALORANT or League of Legends. Riot argued that this early position was necessary to police vulnerable drivers, kernel tampering, and hardware-assisted attacks that traditional user-mode anti-cheat would never see.
The new on-demand mode changes that timing without changing Riot’s underlying philosophy. Vanguard still wants visibility into kernel-space risk. It still treats cheating as a close cousin of malware. It still depends on Windows platform integrity features that many ordinary users barely know exist.
What has changed is the evidence chain. Riot says Microsoft’s Runtime Driver Attestation Report allows Vanguard to learn which drivers loaded since boot, even if Vanguard itself was not running when they arrived. That turns the anti-cheat from a permanent sentry into something closer to a verifier: it can show up later, inspect a hardware-backed record, and decide whether the system is trustworthy enough to play.
That is a meaningful privacy and usability concession, but it is not the end of invasive anti-cheat. It is the normalization of a different model: game security increasingly rests on Windows’ own measured-boot and attestation machinery.
That tracks with the broader software world. If AI coding assistants make it easier to generate legitimate apps, they also make it easier to generate low-grade malware, automation tools, and game cheats. Riot’s jab at “bans-as-a-service” is funny because it is also the business reality: cheat makers can now iterate faster, personalize more, and burn through disposable builds.
Vanguard’s answer is to care less about the cheat payload and more about the method of compromise. In Riot’s framing, the decisive question is not “which cheat is this?” but “how did this code get into a place where it can observe or manipulate the game?” That is why vulnerable drivers matter so much. Signed-but-flawed kernel drivers can become convenient doors into privileges that Windows is supposed to reserve for trusted code.
This is also why the debate around Vanguard has always been slightly misframed. The most controversial part was that Riot’s driver ran from boot, but the deeper issue was the rise of competitive PC games as security-sensitive environments. Once the prize pool, ranking ladder, and streaming economy become large enough, the game client is no longer just an entertainment app. It becomes a target.
That record reportedly contains the driver name and hash, not personal files or browsing history. The important property is that it is cumulative and hardware-backed. If a driver was loaded, the measurement chain should reflect it; if someone tries to rewrite history, the chain breaks.
For Vanguard, this is the missing piece. The anti-cheat no longer needs to be present at boot merely to know whether a suspicious driver slipped in earlier. It can start when the game starts, request the attestation report, and evaluate whether the machine has crossed a line.
This is the kind of change only the OS vendor can make cleanly. Riot could build aggressive monitoring around its own boot driver, but it could not make Windows itself provide a trusted kernel history after the fact. Microsoft’s involvement matters because it moves anti-cheat evidence gathering from vendor-specific surveillance toward platform-level attestation.
That does not make everyone comfortable. A cryptographic report that helps Riot today could help enterprise security tools, DRM systems, endpoint agents, and other trust brokers tomorrow. The same mechanism that proves a cheat driver loaded can also be used to decide whether a machine is sufficiently “clean” for some other service. Windows is becoming more attestable, and that is powerful in both the useful and uncomfortable senses of the word.
This will annoy users on older Windows releases, and not without reason. League of Legends and VALORANT are not graphically extravagant games by modern PC standards. Many machines that can run the games perfectly well may not qualify for the new on-demand mode because they lack the right OS version, firmware configuration, TPM support, Secure Boot posture, or other platform requirements.
But Riot’s security logic is coherent. Older operating systems are easier to attack, and older driver models leave more room for abuse. Cheating techniques follow the weakest viable platform because attackers optimize for what works at scale. If Windows 10 or improperly secured Windows 11 installations are easier to bend, anti-cheat vendors will either degrade trust on those systems or keep heavier monitoring in place.
The result is a two-tier Vanguard world. On newer, properly configured PCs, Vanguard can become more polite. On older or less verifiable systems, the old boot-time assumptions remain.
That is likely to become a pattern beyond Riot. As Windows security features mature, PC gaming may inherit a compliance ladder that looks more like enterprise endpoint security than consumer entertainment. The best experience goes to machines that can prove their integrity; everyone else gets friction.
On-demand mode directly addresses that complaint for eligible systems. If Vanguard can launch with the game and stop afterward, the ordinary user’s mental model becomes simpler: the anti-cheat is active while the protected game is active. That is the standard most people intuitively expect.
But the privacy victory has boundaries. Vanguard is still kernel-level anti-cheat. It still evaluates low-level system state. It still depends on Windows features that attest to what happened on the machine before the game launched. The surveillance window narrows, but the trust demand does not disappear.
The more interesting change is institutional. Riot is effectively saying, “We do not need to watch everything ourselves if Windows can produce trustworthy evidence.” That is a better architecture than every anti-cheat vendor inventing its own permanent watchdog, but it concentrates trust in Microsoft’s platform security model. For WindowsForum readers, that is both familiar and consequential: the OS is becoming the referee for more third-party trust decisions.
Some of that backlash was overheated. Kernel access does not automatically mean spyware, and competitive games do face real attacks that cannot be handled from user space alone. But some of the backlash was entirely rational. A faulty kernel driver can crash a PC. A compatibility issue at that layer can be harder for ordinary users to diagnose. A vendor mistake can have consequences far beyond a game client.
On-demand mode lowers one source of friction, especially for users who disliked Vanguard’s system-tray presence after they were done playing. It may also reduce conflicts with other games and security tools that object to Vanguard’s always-on posture. But it will not satisfy people whose objection is to game companies operating in the kernel at all.
That argument is not going away because the economics are not going away. Competitive integrity is now a product feature. Ranked ladders, esports scenes, in-game economies, and streamer-driven reputations all depend on players believing the match is fair enough to be worth their time. When cheating becomes cheaper and more automated, publishers reach deeper into the system.
The question is no longer whether kernel anti-cheat is invasive. It is. The real question is whether the platform can make that invasiveness more bounded, more auditable, and less permanent. Riot’s new mode is one of the first signs that the answer may be yes, but only for users who keep pace with Windows’ security baseline.
This is probably where Microsoft wants the ecosystem to go. TPMs, Secure Boot, virtualization-based security, driver blocklists, memory integrity, and attestation are not isolated features. They are pieces of a platform story in which Windows can say not just “this code is signed” but “this machine reached its current state through a measurable, defensible sequence.”
For sysadmins, that sounds familiar. Enterprises already care about device compliance, measured boot, secure baselines, and conditional access. Riot is applying a similar worldview to consumer gaming: before you join the match, prove the machine has not taken a suspicious path.
That can be good security engineering and still feel strange in a leisure context. Players are not employees logging into a corporate tenant. They are people trying to queue for a match after work. The more games inherit enterprise-style trust checks, the more the PC gaming experience depends on firmware settings, Windows build numbers, and security posture that users did not choose with gaming in mind.
Riot’s tone may be irreverent, but the architecture is serious. The company is betting that platform attestation can keep cheat developers from exploiting the gap between boot and game launch. If that works, Vanguard’s most controversial behavior becomes less necessary. If it fails, the industry will learn that even hardware-backed driver history is not enough.
At minimum, Riot says users need Windows 11 25H2. In practice, they may also need compatible hardware, enabled security features, clean driver histories, and a Vanguard Pre-Check result that Riot is willing to trust. This is not merely a software update; it is a platform eligibility test.
That distinction matters for support desks and community forums. The next wave of Vanguard complaints may not be about how to disable it, but why on-demand mode is unavailable on a machine that otherwise runs the game. Expect BIOS settings, TPM status, Secure Boot, driver signatures, Insider builds, and OEM firmware quirks to become part of the troubleshooting vocabulary.
There is also a communication risk for Riot. The company has to explain that on-demand mode is optional, conditional, and dependent on Windows 11 25H2-era security plumbing. If it oversells the simplicity, users will experience the feature as another opaque gate. If it undersells the requirements, the people most eager to escape always-on Vanguard may be the first to feel excluded.
For Windows enthusiasts, this is the hidden cost of security maturation. The PC remains open, but the trusted subset of the PC ecosystem keeps narrowing. You can still run all kinds of hardware, drivers, tools, and old operating systems. You just may not be allowed to bring that whole messy stack into every competitive game.
Riot Finally Finds a Way to Stop Being There First
Vanguard’s original bargain was brutally simple: if cheats can compromise Windows before a game launches, the anti-cheat has to be awake before the cheats are. That is why Vanguard became infamous for starting with the operating system rather than with VALORANT or League of Legends. Riot argued that this early position was necessary to police vulnerable drivers, kernel tampering, and hardware-assisted attacks that traditional user-mode anti-cheat would never see.The new on-demand mode changes that timing without changing Riot’s underlying philosophy. Vanguard still wants visibility into kernel-space risk. It still treats cheating as a close cousin of malware. It still depends on Windows platform integrity features that many ordinary users barely know exist.
What has changed is the evidence chain. Riot says Microsoft’s Runtime Driver Attestation Report allows Vanguard to learn which drivers loaded since boot, even if Vanguard itself was not running when they arrived. That turns the anti-cheat from a permanent sentry into something closer to a verifier: it can show up later, inspect a hardware-backed record, and decide whether the system is trustworthy enough to play.
That is a meaningful privacy and usability concession, but it is not the end of invasive anti-cheat. It is the normalization of a different model: game security increasingly rests on Windows’ own measured-boot and attestation machinery.
The Anti-Cheat War Has Moved Below the Game
Riot’s explanation is unusually candid about the state of cheating in 2026. The company says agentic coding tools have lowered the barrier to writing cheats, especially crude computer-vision bots and one-off hacks tailored to individual users. The old model of identifying and blocking each cheat executable is collapsing under fragmentation.That tracks with the broader software world. If AI coding assistants make it easier to generate legitimate apps, they also make it easier to generate low-grade malware, automation tools, and game cheats. Riot’s jab at “bans-as-a-service” is funny because it is also the business reality: cheat makers can now iterate faster, personalize more, and burn through disposable builds.
Vanguard’s answer is to care less about the cheat payload and more about the method of compromise. In Riot’s framing, the decisive question is not “which cheat is this?” but “how did this code get into a place where it can observe or manipulate the game?” That is why vulnerable drivers matter so much. Signed-but-flawed kernel drivers can become convenient doors into privileges that Windows is supposed to reserve for trusted code.
This is also why the debate around Vanguard has always been slightly misframed. The most controversial part was that Riot’s driver ran from boot, but the deeper issue was the rise of competitive PC games as security-sensitive environments. Once the prize pool, ranking ladder, and streaming economy become large enough, the game client is no longer just an entertainment app. It becomes a target.
Microsoft Hands Riot the Ledger It Wanted
The key technical development is Runtime Driver Attestation. Riot describes it as a Windows capability that measures on-demand driver loads into the Trusted Platform Module, similar in spirit to the way boot-start components are already measured during the boot process. In plain English: Windows can maintain a tamper-resistant record of drivers that entered the system after startup.That record reportedly contains the driver name and hash, not personal files or browsing history. The important property is that it is cumulative and hardware-backed. If a driver was loaded, the measurement chain should reflect it; if someone tries to rewrite history, the chain breaks.
For Vanguard, this is the missing piece. The anti-cheat no longer needs to be present at boot merely to know whether a suspicious driver slipped in earlier. It can start when the game starts, request the attestation report, and evaluate whether the machine has crossed a line.
This is the kind of change only the OS vendor can make cleanly. Riot could build aggressive monitoring around its own boot driver, but it could not make Windows itself provide a trusted kernel history after the fact. Microsoft’s involvement matters because it moves anti-cheat evidence gathering from vendor-specific surveillance toward platform-level attestation.
That does not make everyone comfortable. A cryptographic report that helps Riot today could help enterprise security tools, DRM systems, endpoint agents, and other trust brokers tomorrow. The same mechanism that proves a cheat driver loaded can also be used to decide whether a machine is sufficiently “clean” for some other service. Windows is becoming more attestable, and that is powerful in both the useful and uncomfortable senses of the word.
Windows 11 25H2 Becomes the New Gaming Security Line
Riot says Vanguard Pre-Check requires at least Windows 11 25H2 because the driver attestation report first appears there. That is a practical version gate, but it is also a philosophical one. Riot is drawing a line between PCs that can provide modern hardware-backed security evidence and PCs that cannot.This will annoy users on older Windows releases, and not without reason. League of Legends and VALORANT are not graphically extravagant games by modern PC standards. Many machines that can run the games perfectly well may not qualify for the new on-demand mode because they lack the right OS version, firmware configuration, TPM support, Secure Boot posture, or other platform requirements.
But Riot’s security logic is coherent. Older operating systems are easier to attack, and older driver models leave more room for abuse. Cheating techniques follow the weakest viable platform because attackers optimize for what works at scale. If Windows 10 or improperly secured Windows 11 installations are easier to bend, anti-cheat vendors will either degrade trust on those systems or keep heavier monitoring in place.
The result is a two-tier Vanguard world. On newer, properly configured PCs, Vanguard can become more polite. On older or less verifiable systems, the old boot-time assumptions remain.
That is likely to become a pattern beyond Riot. As Windows security features mature, PC gaming may inherit a compliance ladder that looks more like enterprise endpoint security than consumer entertainment. The best experience goes to machines that can prove their integrity; everyone else gets friction.
The Privacy Win Is Real, but Narrow
For years, Vanguard’s critics objected less to anti-cheat in principle than to its persistence. A kernel driver that loads at boot and remains active even when no Riot game is running feels qualitatively different from software that appears only when needed. Even if Riot’s intentions are limited, the posture asks users to trust a game company with unusually privileged, always-present code.On-demand mode directly addresses that complaint for eligible systems. If Vanguard can launch with the game and stop afterward, the ordinary user’s mental model becomes simpler: the anti-cheat is active while the protected game is active. That is the standard most people intuitively expect.
But the privacy victory has boundaries. Vanguard is still kernel-level anti-cheat. It still evaluates low-level system state. It still depends on Windows features that attest to what happened on the machine before the game launched. The surveillance window narrows, but the trust demand does not disappear.
The more interesting change is institutional. Riot is effectively saying, “We do not need to watch everything ourselves if Windows can produce trustworthy evidence.” That is a better architecture than every anti-cheat vendor inventing its own permanent watchdog, but it concentrates trust in Microsoft’s platform security model. For WindowsForum readers, that is both familiar and consequential: the OS is becoming the referee for more third-party trust decisions.
The Kernel-Level Backlash Will Not Vanish
Vanguard has spent years as a symbol of kernel anti-cheat controversy. It arrived with VALORANT, later expanded to League of Legends, and became a recurring flashpoint whenever users reported compatibility problems, driver conflicts, BIOS settings confusion, or anxiety about software running beneath normal admin privileges.Some of that backlash was overheated. Kernel access does not automatically mean spyware, and competitive games do face real attacks that cannot be handled from user space alone. But some of the backlash was entirely rational. A faulty kernel driver can crash a PC. A compatibility issue at that layer can be harder for ordinary users to diagnose. A vendor mistake can have consequences far beyond a game client.
On-demand mode lowers one source of friction, especially for users who disliked Vanguard’s system-tray presence after they were done playing. It may also reduce conflicts with other games and security tools that object to Vanguard’s always-on posture. But it will not satisfy people whose objection is to game companies operating in the kernel at all.
That argument is not going away because the economics are not going away. Competitive integrity is now a product feature. Ranked ladders, esports scenes, in-game economies, and streamer-driven reputations all depend on players believing the match is fair enough to be worth their time. When cheating becomes cheaper and more automated, publishers reach deeper into the system.
The question is no longer whether kernel anti-cheat is invasive. It is. The real question is whether the platform can make that invasiveness more bounded, more auditable, and less permanent. Riot’s new mode is one of the first signs that the answer may be yes, but only for users who keep pace with Windows’ security baseline.
Riot’s Real Achievement Is Outsourcing Suspicion to the Platform
There is a strategic elegance in Riot’s move. Vanguard has been criticized for behaving like a security product from a game company. With Runtime Driver Attestation, Riot can lean on Windows to provide part of the same assurance an endpoint security platform would want. That makes Vanguard less of a lone actor and more of a consumer of OS-native trust signals.This is probably where Microsoft wants the ecosystem to go. TPMs, Secure Boot, virtualization-based security, driver blocklists, memory integrity, and attestation are not isolated features. They are pieces of a platform story in which Windows can say not just “this code is signed” but “this machine reached its current state through a measurable, defensible sequence.”
For sysadmins, that sounds familiar. Enterprises already care about device compliance, measured boot, secure baselines, and conditional access. Riot is applying a similar worldview to consumer gaming: before you join the match, prove the machine has not taken a suspicious path.
That can be good security engineering and still feel strange in a leisure context. Players are not employees logging into a corporate tenant. They are people trying to queue for a match after work. The more games inherit enterprise-style trust checks, the more the PC gaming experience depends on firmware settings, Windows build numbers, and security posture that users did not choose with gaming in mind.
Riot’s tone may be irreverent, but the architecture is serious. The company is betting that platform attestation can keep cheat developers from exploiting the gap between boot and game launch. If that works, Vanguard’s most controversial behavior becomes less necessary. If it fails, the industry will learn that even hardware-backed driver history is not enough.
The Catch Is That “Supported PC” Will Do a Lot of Work
The phrase “on-demand Vanguard” will travel faster than the fine print. Many players will hear that Vanguard no longer has to run all the time and assume the controversy is over. Then they will discover the requirement stack.At minimum, Riot says users need Windows 11 25H2. In practice, they may also need compatible hardware, enabled security features, clean driver histories, and a Vanguard Pre-Check result that Riot is willing to trust. This is not merely a software update; it is a platform eligibility test.
That distinction matters for support desks and community forums. The next wave of Vanguard complaints may not be about how to disable it, but why on-demand mode is unavailable on a machine that otherwise runs the game. Expect BIOS settings, TPM status, Secure Boot, driver signatures, Insider builds, and OEM firmware quirks to become part of the troubleshooting vocabulary.
There is also a communication risk for Riot. The company has to explain that on-demand mode is optional, conditional, and dependent on Windows 11 25H2-era security plumbing. If it oversells the simplicity, users will experience the feature as another opaque gate. If it undersells the requirements, the people most eager to escape always-on Vanguard may be the first to feel excluded.
For Windows enthusiasts, this is the hidden cost of security maturation. The PC remains open, but the trusted subset of the PC ecosystem keeps narrowing. You can still run all kinds of hardware, drivers, tools, and old operating systems. You just may not be allowed to bring that whole messy stack into every competitive game.
The Vanguard Compromise Arrives With Fine Print Attached
Riot’s announcement is best read as a compromise between player trust and cheat resistance, not as a surrender by either side. It gives privacy-conscious users a cleaner runtime model, while preserving Riot’s ability to reject machines that show signs of kernel-level compromise. The practical lesson is that the future of anti-cheat will be less about whether a driver is always awake and more about whether the OS can prove what happened while it slept.- Vanguard’s on-demand mode is intended for sufficiently secured Windows 11 25H2 systems that can provide Microsoft’s runtime driver attestation data.
- Riot is not abandoning kernel-level anti-cheat; it is changing when Vanguard needs to run on machines that can produce trustworthy driver history.
- The feature should reduce the everyday annoyance of an always-on anti-cheat, but it will not remove low-level system inspection from VALORANT or League of Legends.
- Older Windows installations and less secure PC configurations are likely to remain subject to stricter Vanguard behavior.
- The larger shift is that Windows platform security is becoming part of the admission system for competitive PC gaming.
References
- Primary source: Riot Games
Published: 2026-06-24T17:20:42.280730
Vanguard On-Demand - Anti-Cheat Update | Riot Games
Vanguard On-Demand: Enable these security features and our anti-cheat will only run while your game does, not on system start.www.riotgames.com - Related coverage: support-valorant.riotgames.com
Riot Games Support
Find answers to your questions and get help with your Riot Games account.support-valorant.riotgames.com - Related coverage: tweakers.net
- Related coverage: techspot.com
League of Legends receives controversial Vanguard anti-cheat, Windows 11 now requires TPM 2.0 | TechSpot
League of Legends players on Windows are now receiving prompts to install Riot Games' Vanguard anti-cheat system. Since the company introduced the software in Valorant a few...www.techspot.com - Related coverage: arstechnica.com
Riot Games’ anti-cheat software will require TPM, Secure Boot on Windows 11 - Ars Technica
New requirements aren't being enforced on Windows 10—at least not yet.arstechnica.com - Related coverage: tomshardware.com
Critical motherboard flaw allows game cheats, Riot Games blocks 'Valorant' players that don't update BIOS — security patches pushed live by all major motherboard vendors | Tom's Hardware
Update your BIOS or risk getting a VAN:Restriction.www.tomshardware.com
- Related coverage: support-leagueoflegends.riotgames.com
Riot Games Support
Find answers to your questions and get help with your Riot Games account.support-leagueoflegends.riotgames.com - Related coverage: leagueoflegends.fandom.com
Riot Vanguard | League of Legends Wiki | Fandom
Riot Vanguard is a ring 0 (kernel) custom anti-cheat security software developed by Riot Games. It is designed to uphold the highest levels of competitive integrity for League of Legends, Teamfight Tactics, 2XKO,[2] and Valorant. The application consists of a kernel-mode driver that starts on...leagueoflegends.fandom.com
- Related coverage: gamesradar.com
Riot's anti-cheat "does not in any way brick PCs," though Valorant cheaters say otherwise | GamesRadar+
You might want to consider not cheatingwww.gamesradar.com - Related coverage: thespike.gg
VAN 1067: League of Legends Vanguard error fix
Fix League of Legends VAN 1067 error with TPM 2.0, Secure Boot, Vanguard reinstall, driver checks, and proven solutions.www.thespike.gg
- Related coverage: windowscentral.com
"Congrats to the owners of a brand new $6k paperweight": Valorant dev Riot makes players think Vanguard anti-cheat will brick their PCs, causing uproar — here's what's really happening | Windows Central
A sassy Riot Games post ignited major controversy in the Valorant community.www.windowscentral.com - Related coverage: pcgamer.com
Riot taunts would-be hackers using physical hardware to cheat: 'congrats to the owners of a brand new $6k paperweight' | PC Gamer
Vanguard gets a DMA-spanking upgrade.www.pcgamer.com
