Riot Games has flipped the switch on a fundamental change to its controversial Vanguard anti-cheat system. Starting now, the kernel-level driver that once loaded at every system boot will remain dormant until you actually launch a protected game. The on-demand mode, rolling out first for League of Legends on qualified PCs, marks a significant pivot for a security tool that drew fire for its always-on presence.
For years, Vanguard’s kernel driver—vgk.sys—layered itself into Windows the moment you turned on your computer. Critics called it an overreach. Gamers without a Valve game installed resented a driver hogging resources for a game they might not play for days. Privacy advocates warned about a permanent backdoor. Now, Riot is offering a less intrusive path: no game, no driver.
The Big Change at Boot Time
Every Windows user knows the ritual. You power on, wait for the desktop, and then watch a tray icon pop up announcing that Vanguard is active. That tray icon no longer appears by default on systems that meet the new hardware requirements. Vanguard’s kernel module—the piece that runs with the highest system privileges—now stays unloaded until you double-click a Riot title. When you close the game, the driver unloads after a brief grace period, returning your system to a clean state.
The technical shift is non-trivial. Previously, Vanguard’s driver was configured to start at boot via a service with a start type of “SYSTEM_START” or “AUTO_START,” ensuring it loaded before user-mode applications. In the on-demand model, the service switches to “DEMAND_START,” and the Vanguard user-mode agent controls the loading and unloading based on game activity. Microsoft’s design for driver loading requires kernel components to be signed and, in Windows 11, to pass Secure Launch early in the boot process; Vanguard on-demand skirts that entire sequence until the gamer takes action.
How Vanguard On-Demand Works
When you install or update League of Legends on a supported system, Vanguard now installs in a dormant state. The driver file remains on disk, but the service is not started. The moment you click “Play,” the Vanguard client tells the Windows Service Control Manager to start the Vanguard driver. The driver then initializes its kernel callbacks and begins monitoring for cheating tools. If you close the game and no other Riot game is running, the service stops the driver after a configurable delay—typically one to two minutes.
Riot’s engineering team baked in a safety net: if you launch multiple Riot games in quick succession, the driver stays loaded until all of them exit. Exiting the last game triggers the unload timer. Users can also manually force the driver to stop through the Vanguard tray icon, though the game will require a driver restart before the next match.
This design hits a sweet spot between security and system hygiene. Cheat developers often rely on the fact that anti-cheat drivers load early; bypassing early load means Vanguard must still be robust enough to detect cheats that might have injected into the system before the driver initializes. Riot says its detection logic has been retooled to handle post-launch loading without sacrificing integrity.
System Requirements: Why You Need Secure Boot and TPM 2.0
Vanguard On-Demand doesn’t work on just any Windows machine. Riot is gating the feature behind security features that have become standard with Windows 11 but remain optional—and sometimes absent—on Windows 10. The firm requirement is Secure Boot enabled and a TPM 2.0 module present and active.
Why the strict hardware check? When a kernel driver loads on-demand, it must trust that the OS hasn’t been tampered with since the last boot. Secure Boot ensures that the bootloader and kernel are signed and haven’t been modified. TPM 2.0 provides a sealed storage location for measurements that attest to the boot chain’s integrity. Without these, an attacker could patch the kernel or bootloader to hide a rootkit and then later load Vanguard without triggering alerts.
Windows 11 mandates both Secure Boot and TPM 2.0 out of the box, so any Windows 11 PC meets the hardware bar. Windows 10 users need to specifically enable Secure Boot in their UEFI firmware and own a TPM 2.0 chip—features found on most CPUs from Intel’s 8th-gen and AMD’s Ryzen 2000 series onward. Riot’s rollout acknowledges this divide; the official support page lists Windows 11 as recommended, with Windows 10 supported “where compatible.”
Early adopters report that Vanguard’s installer now runs a pre-flight check. If your system lacks these protections, Vanguard defaults to the classic always-on behavior. Riot’s message: upgrade your hardware security, or live with the old model.
The Rollout: League of Legends First, Valorant Later?
League of Legends players are the first to see the change. The on-demand mode went live on the PBE (Public Beta Environment) in late 2024 and has now reached the live client through a gradual rollout. Riot’s communications suggest a phased approach: a small percentage of players receive the update first, with a full global deployment over the following weeks.
Valorant, the game that originally necessitated Vanguard’s kernel-level design, is conspicuously absent from the initial rollout. Valorant’s anti-cheat requirements are stricter because the game is a competitive first-person shooter where even a millisecond of advantage matters. Riot has publicly stated that Vanguard On-Demand will come to Valorant “after extensive testing,” but no timeline exists. For now, Valorant players continue to face the boot-time driver.
Other Riot titles, such as Legends of Runeterra and Teamfight Tactics, may eventually adopt the on-demand mode, but they remain low priority. The focus is on the two giants where cheating pressure is highest.
Performance and Privacy: What Users Stand to Gain
For the average League of Legends player, the most tangible benefit is reduced boot time. A kernel driver that initializes alongside dozens of other services adds seconds to the cold-start process. On systems with older storage or slower CPUs, Vanguard could stretch the boot by five to ten seconds. Removing it from the boot path reclaims that time.
Memory consumption drops as well. Vanguard’s driver allocated around 30–50MB of non-paged pool memory at all times. While modest, that memory is permanently unavailable to applications. On a 8GB or 16GB system, every megabyte counts. With on-demand loading, that memory is freed until a game demands it.
Privacy skeptics get a reprieve too. The kernel driver’s constant presence fed conspiracy theories about data collection. Riot has always maintained that Vanguard inspects only system integrity and doesn’t harvest personal data. Still, the perception of an always-on watcher weighed heavily. An inert driver until game time feels less Big Brother.
Power users accustomed to tweaking driver behavior will find the new model friendlier. Dual-booters who game only on one OS install won’t see Vanguard affect the other side. Virtual machine users, however, still face restrictions: Vanguard requires bare-metal access to security features and won’t run inside most VMs, a limitation unchanged by the on-demand shift.
Community Reaction and Lingering Concerns
Early sentiment on forums and social media tilts largely positive. “Finally, I don’t have to see that red icon in my tray every morning,” one Reddit user posted. Another echoed: “My boot times were suffering. This is a step in the right direction.”
But not everyone is applauding. Technical users worry about the unloading mechanism. If the driver truly unloads, its memory is released, but Windows doesn’t always zero driver memory immediately; sensitive hooks could persist. Security researchers have pointed out that a malicious driver could theoretically re-infect the system between game sessions if Vanguard isn’t watching. Riot counters that the integrity checks performed at driver load and the requirement for Secure Boot and TPM 2.0 significantly reduce that risk.
Another concern: what happens when the on-demand driver loads during an already-cheating session? A cheat loaded before Vanguard could already be active. Riot’s defense is that their detection scans the system at driver initialization as robustly as at boot. But cheat developers are creative; the arms race continues.
Some players with marginally compliant systems report inconsistent behavior. A few on Windows 10 with Secure Boot enabled still get forced into the old mode because of TPM firmware issues. Riot’s support forums are filling with troubleshooting guides for those who want to opt into on-demand but cannot.
The Bigger Picture for Windows Security
Vanguard On-Demand lands at an inflection point for Windows security. Microsoft itself has pushed the kernel anti-cheat conversation forward with initiatives like the Windows Defender System Guard and the Hypervisor-Protected Code Integrity that protects kernel memory. Riot’s move aligns with the industry trend toward enabling strong security features without punishing users who aren’t actively gaming.
Valve’s VAC has always been a userspace and “on-demand” solution, though less aggressive. Easy Anti-Cheat and BattlEye also run as kernel drivers but often load on-demand. Riot’s approach was the outlier. Now, Riot is joining the pack voluntarily, perhaps acknowledging that the boot-time loading was more about engineering simplicity than absolute necessity.
The opt-in nature of the security requirements—effectively mandating a Windows 11-class security posture—gives Microsoft ammunition to continue pushing Windows 11 adoption. When a blockbuster game publisher ties a better user experience to Windows 11 features, fence-sitters might finally migrate.
For enterprise IT, the shift matters too. Vanguard’s always-on driver was a nuisance in corporate environments where personal gaming PCs doubled as work machines under BYOD policies. An on-demand driver reduces the attack surface during work hours, making Vanguard less likely to be flagged by enterprise endpoint detection tools.
What’s Next for Riot’s Anti-Cheat
Riot isn’t stopping at on-demand loading. Internally, engineers are exploring a “lightweight” mode where Vanguard operates entirely without a kernel driver on systems that meet hypervisor-based isolation standards. That would lean on Windows’ own virtualization-based security to inspect memory and code integrity, completely sidestepping the need for a third-party kernel driver.
Such a shift would require deep cooperation with Microsoft, but it’s not science fiction. Windows 11’s Virtualization-Based Security can host a “trustlet” that performs similar monitoring to a kernel driver, albeit with performance implications. For now, the on-demand kernel driver remains the pragmatic middle ground.
Players can expect Riot to extend the requirement for Secure Boot and TPM 2.0 to Valorant’s on-demand mode, likely with even stricter checks. Valorant’s competitive integrity demands that no window of opportunity exist for cheaters. Riot may also implement a “game must restart if driver unloads” policy, so exiting the game mid-session forces a full driver reload and integrity scan before re-entry—closing a potential loophole where a cheater unloads, injects, and relaunches.
For the average Windows enthusiast, the immediate takeaway is simple: if you play League of Legends and your PC has modern security hardware, Vanguard just got a lot less annoying. For everyone else, the pressure to upgrade your security posture has never been clearer. Riot’s move proves that the industry is finally getting serious about balancing aggressive anti-cheat with user experience—and Windows 11 is where that balance plays out.