Riot Games Ends Always-On Kernel Anti-Cheat with Vanguard On-Demand for Windows 11

{
"title": "Riot Games Ends Always-On Kernel Anti-Cheat with Vanguard On-Demand for Windows 11",
"content": "Riot Games has begun rolling out a long-awaited overhaul to its Vanguard anti-cheat system, introducing an on-demand mode that loads the kernel-level driver only when players launch a Riot game, rather than at system boot. The rollout, which started on June 24, 2026, targets eligible Windows 11 users and marks a significant departure from a policy that has drawn steady criticism since the anti-cheat’s debut in 2020. With Vanguard On-Demand, Riot aims to placate privacy-conscious gamers without sacrificing the cheat-detection prowess that made its competitive titles some of the cleanest in the industry.

A Long-Awaited Shift

The always-on nature of Vanguard has been a flashpoint ever since it arrived with Valorant. Unlike many rivals that activate when a game starts, Vanguard’s kernel driver—vgk.sys—loaded during Windows boot and ran continuously, scanning for cheats even when no Riot game was active. Riot argued this persistent monitoring was essential to catch sophisticated rootkits and cheats that initialize before anti-cheat software can start. But the approach drew complaints: it consumed system resources, raised privacy flags, and occasionally clashed with other drivers, causing blue screens.

Riot promised a more flexible model back in 2023, and after years of development, Vanguard On-Demand is here. Initially available to a limited set of Valorant and League of Legends players on Windows 11, it will expand in waves. Eligible systems must have UEFI Secure Boot enabled and a TPM 2.0 chip—requirements that align with Microsoft’s stringent Windows 11 hardware mandate.

The Kernel Conundrum: Why Vanguard Was Always On

Kernel-level anti-cheat tools operate with the highest system privileges, giving them unfettered access to memory, processes, and hardware. This deep integration is necessary to combat sophisticated cheats that also run at the kernel level, such as drivers that manipulate game memory or intercept input. Cheat developers often exploit the fact that many anti-cheat solutions start only when a game is launched; by that time, a cheat driver already in memory can hide itself or modify the game client.

Vanguard’s original design neutralized this window by loading at boot, before any malicious software could get a foothold. It employed a network of integrity checks and behavioral heuristics that made Valorant, in particular, notoriously difficult to cheat in compared to other popular shooters. The trade-off was that the driver was omnipresent, even when users were just browsing the web or working. Critics argued this was overkill, akin to running a bank vault door on a bedroom closet.

Vanguard On-Demand: How It Works

The on-demand mode fundamentally changes Vanguard’s lifecycle. Now, the kernel driver loads only when a Riot game client launches and unloads shortly after the game closes. To achieve this without creating a security gap, Riot leverages Windows 11 security features to establish a chain of trust.

When a player initiates a Riot game, the user-mode Vanguard client first performs a secure attestation using the TPM to verify that the system hasn’t been tampered with. It then instructs Windows to load the signed kernel driver, which begins its scanning routines. Throughout the gaming session, the driver maintains a protected environment using virtualization-based security (VBS), isolating its memory from potential attackers. When the game ends, the driver is stopped and unloaded from the kernel, freeing up memory and processor cycles.

Crucially, the unload process is as secure as the load. Riot uses Windows Secure Boot signatures to ensure that only trusted code can reload the driver, preventing cheat developers from simulating a game launch to trick the anti-cheat into loading. The system also monitors for any unauthorized attempts to reload the driver outside of a genuine game session.

Windows 11: The Secure Foundation

The on-demand architecture is built on capabilities that are only fully realized in Windows 11. The operating system’s strict TPM 2.0 and Secure Boot requirements, once viewed as annoyances by many users, here become enablers. Secure Boot guarantees that the boot process is authenticated, while TPM provides hardware-backed attestation and key storage. Virtualization-based security—available in Windows 11 Pro and Enterprise—adds a layer of isolation that makes it much harder for malware (or cheats) to tamper with the anti-cheat driver.

Riot explicitly ties eligibility to these features: Windows 11 with Secure Boot on, TPM 2.0 active, and virtualization enabled. This excludes Windows 10 systems, even those that technically support TPM 2.0. The company states that Windows 10 lacks the consistent security baseline needed to safely support on-demand loading without opening backdoors. With Windows 10’s retirement in 2025, the requirement also nudges the gaming community toward modernization.

Performance and Privacy Gains

For everyday users, the most immediate benefit is reduced overhead. In always-on mode, Vanguard consumed a modest but non-zero amount of CPU and RAM—typically around 1–2% CPU and 100–150 MB of memory, depending on the system. While hardly a concern for high-end rigs, on lower-specced machines or during intensive non-gaming tasks, that idle consumption could be noticeable. Unloading the driver when not gaming restores those resources.

Privacy-wise, the change is meaningful. A kernel driver with unrestricted access is a powerful tool; although Riot says Vanguard does not exfiltrate personal data, the potential for misuse cannot be ignored. By confining the driver’s activity to gaming sessions, the attack surface shrinks. Users who dual-boot or use their machines for sensitive work can now enjoy Riot games without permanently surrendering kernel access. This also reduces the chance of driver conflicts with other security software or development tools.

Security Trade-offs and the Cheating Arms Race

The pivot to on-demand isn’t without risk. Cheat developers are already probing the new loading rhythm. One possible attack vector involves tricking the system into thinking a game is about to launch, causing the driver to load prematurely, and then exploiting a small window before the game process starts. Another concern is that cheats could persist through game sessions by hooking into the unload process itself.

Riot’s security team has addressed these in its design. The attestation step prevents unauthorized loading; the driver only loads when the game client can prove its integrity through a TPM-backed challenge. Post-game, the driver performs a secure te