Riot Games has begun rolling out a new operating mode for its Vanguard anti-cheat system that stops the kernel-level driver from loading at system boot—a fundamental shift that addresses years of user complaints. Dubbed "Vanguard On-Demand," the feature ensures the anti-cheat only loads into memory when you launch a Riot title like Valorant, then unloads when you quit. The catch? It demands a Windows 11 PC with TPM 2.0 and Secure Boot enabled, effectively tying the revamped anti-cheat to Microsoft’s modern hardware security baselines.
Since Valorant’s 2020 launch, Vanguard has been one of the most scrutinized pieces of gaming software. Unlike most anti-cheat solutions, it embeds a kernel-mode driver that starts with Windows and runs continuously—even when no Riot game is active. The driver, vgk.sys, operates at Ring 0, the same privilege level as the operating system kernel itself. This design allowed Riot to detect sophisticated cheats that try to hide from user-mode tools, but it also triggered alarms: the always-on nature meant that a vulnerability in Vanguard could hypothetically be exploited at any time, not just during gameplay, and the driver consumed some system resources even when idle.
Vanguard On-Demand addresses these concerns head-on. Instead of launching the driver at boot and keeping it resident, the Vanguard service now starts manually when a protected game is launched. The driver loads, monitors for cheating, and then—crucially—stops and unregisters itself from the kernel when the game session ends. This approach mirrors many traditional anti-cheat systems, but with a twist: because Vanguard still runs at kernel level during gameplay, it retains the deep visibility needed to catch advanced cheats like kernel-bridge drivers or hypervisor-based aimbots.
How Vanguard On-Demand Works
The secret to on-demand loading without sacrificing security lies in Windows 11’s hardware-rooted trust capabilities. Riot leverages the same isolation and attestation primitives that power features like Credential Guard and Hypervisor-Enforced Code Integrity (HVCI). Here’s the technical blueprint:
- TPM 2.0 and Secure Boot form the foundation. When a PC boots, the UEFI firmware verifies that the bootloader and OS kernel haven’t been tampered with, using digital signatures and measurements logged in the TPM. This ensures the system is in a trusted state before Vanguard ever touches it.
- Hypervisor-Protected Code Integrity (HVCI), also known as Memory Integrity, ensures that only signed, verified code can run in kernel mode. Vanguard’s on-demand driver must pass this check every time it loads, preventing rogue kernel modules from masquerading as the anti-cheat.
- Windows Sandboxing and Virtualization-Based Security (VBS) allow the anti-cheat to run in a protected environment, isolating its memory from the rest of the kernel. Even if a cheat manages to load a malicious driver, Vanguard’s own code remains inaccessible.
When you launch Valorant on a compatible Windows 11 PC, the Vanguard service—which starts with Windows but doesn’t load the kernel driver immediately—calls into the Windows Hypervisor Platform to set up a secure partition. It then dynamically loads vgk.sys into that protected space, performs an integrity attestation with the TPM, and begins scanning for cheat patterns. When the game closes, the driver unloads from both the hypervisor and the kernel, and the service returns to a dormant state.
This on-demand architecture would be impossible without the hardware-backed security features that Microsoft made mandatory for Windows 11. Riot’s engineering team stated in a technical blog that the attestation chain—from UEFI firmware to the running Vanguard driver—relies on TPM quotes and Measured Boot logs to prove no tampering occurred. Without TPM 2.0, the driver would have to trust the OS entirely, which is far too risky for a kernel component.
The Hardware Requirements: A Double-Edged Sword
To use Vanguard On-Demand, your system must meet these exact specifications:
- Windows 11 (any edition, though 25H2 or later may have optimizations)
- Trusted Platform Module (TPM) 2.0 enabled in firmware
- Secure Boot enabled in the UEFI/BIOS
- Virtualization-based Security (VBS) active (this is enabled by default on most Windows 11 installs)
These are the same requirements Microsoft has championed since Windows 11 launched in 2021. The contentious hardware check—which once prompted workarounds and a thriving bypass community—now gains a practical gaming purpose. If your PC was built in the last six or seven years, it likely has a TPM 2.0 chip (either discrete or firmware-based like Intel PTT or AMD fTPM). Modern motherboards ship with Secure Boot enabled by default, and Windows 11 Home even requires it during installation.
But the requirement wall leaves many users in the cold. Gamers running older but still capable hardware—such as Intel 6th/7th-generation processors or first-gen Ryzen systems without fTPM—cannot enable the on-demand mode. They remain stuck with the traditional always-on Vanguard if they want to play Valorant. Riot’s support documentation confirms that the legacy driver will still be offered for Windows 10 and non-compliant Windows 11 PCs, but it will not receive the on-demand improvements.
Performance and Privacy: What Changes Immediately
The most immediate benefit is a lighter system footprint when not gaming. Benchmarking by community members on the WindowsNews.ai forum shows that the vgk.sys driver consumed approximately 15–30 MB of non-paged pool memory and contributed to a small but measurable DPC latency when active. With On-Demand, that resource usage drops to zero after quitting the game, and the service itself uses negligible RAM.
Boot times also improve slightly. The old Vanguard driver was one of dozens of kernel modules that had to initialize during Windows startup. While its impact on a fast NVMe SSD system was often under half a second, users on hard drives reported a more noticeable pause. On-Demand eliminates that entirely.
Privacy-wise, the change is significant. An always-on kernel driver with system-wide visibility invited scrutiny because it technically had the ability to inspect any process or network packet, regardless of whether a game was running. Riot always insisted the driver only looked for cheat signatures and was dormant when no Riot game was active, but the mere presence of a privileged, always-active component made users uneasy. With On-Demand, that specter vanishes: the anti-cheat literally isn’t present when you aren’t playing.
Community Response: Relief, Skepticism, and the Windows 10 Divide
Initial feedback from Valorant players and tech forums has been mixed but largely positive. Many players who had long lobbied for an on-demand option finally feel heard. “It’s what Vanguard should have been from day one,” one Reddit user remarked in a thread that gained over 2,000 upvotes within hours of the staged rollout. Others praised Riot for leveraging Windows 11’s security model rather than building an even more intrusive system.
But the Windows 10 divide stings. Steam’s hardware survey still shows over 40% of users on Windows 10, and a large chunk of those are gaming rigs that might not meet Windows 11’s strict TPM/Secure Boot mandates. Riot’s decision to tie the on-demand feature exclusively to Windows 11’s security stack has reignited debates about Microsoft’s “forced obsolescence” tactics. “So I need to upgrade my perfectly good 7700K system just to not have an always-on rootkit?” a user lamented on the WindowsNews.ai forums. Riot hasn’t responded to requests for comment on whether a limited on-demand mode could work on Windows 10 with VBS enabled—a configuration that is possible but less rigorously enforced.
Security researchers are cautiously optimistic. Kenn White, a noted cryptographer and former security architect, tweeted that the architecture “looks solid in principle” but warned that the attestation model is only as strong as the firmware’s implementation. A compromised UEFI or a vulnerable TPM firmware could theoretically forge a clean attestation, though such attacks are far from trivial. Riot’s anti-cheat team acknowledged this on their engineering blog, stating they’ve hardened Vanguard against known UEFI vulnerabilities and plan to deploy “periodic integrity challenges” to detect late-stage tampering.
Comparing Vanguard On-Demand to Other Anti-Cheat Systems
Vanguard’s new mode now resembles how other kernel-level anti-cheat solutions operate—except it still holds a more privileged position. Easy Anti-Cheat, BattlEye, and Valve’s VAC load kernel drivers only when protected games launch and unload them shortly after the game exits. However, those drivers typically run without the hypervisor-based isolation that Vanguard On-Demand enjoys. Riot’s approach adds a layer of protection that makes it harder for cheats to tamper with the anti-cheat itself.
One notable difference: unlike many competitors, Vanguard On-Demand will not function if HVCI is disabled. Some Windows 11 users—especially enthusiasts who overclock or use certain hardware monitoring tools—turn off Memory Integrity because of compatibility issues. Riot’s stance is unambiguous: if you disable this core security feature, the on-demand driver will not load, and you’ll fall back to the legacy always-on Vanguard or be unable to play. This aligns with Microsoft’s own push to keep HVCI on by default, but it will chafe gamers who rely on unsigned drivers for peripherals or tuning utilities.
What This Means for Gaming on Windows
Riot’s move could set a precedent. If the industry’s most aggressive anti-cheat can operate effectively without running 24/7, other developers may feel pressure to follow suit. EA’s kernel-level anti-cheat for FIFA and Battlefield titles, Activision’s Ricochet for Call of Duty, and Ubisoft’s BattlEye integration could all adopt similar trust-based, on-demand models if Vanguard proves successful.
It also strengthens Microsoft’s position that hardware-backed security isn’t just an enterprise feature. For years, TPM and Secure Boot were viewed as nuisances that made installing alternative OSes harder. Now, they’re being positioned as enablers of less invasive gaming anti-cheat. The marketing message is clear: stay with Windows 10 and live with always-on kernel drivers, or move to Windows 11 for a more privacy-respecting experience. Expect Microsoft to highlight this in future Windows 11 promotional materials.
The Road Ahead
Riot is deploying Vanguard On-Demand gradually, starting with a small subset of players who meet the requirements. A full rollout is expected by the end of the quarter. For now, the feature is optional—users can switch between legacy and on-demand modes via the Vanguard tray icon. Riot says it will monitor telemetry on cheat detection effectiveness and may eventually make on-demand the default for all Windows 11 users.
Meanwhile, the company is working with Microsoft to ensure the feature works seamlessly with upcoming Windows 11 25H2 updates, which will likely tighten virtualization-based security further. Early builds indicate that 25H2 will make HVCI mandatory for all clean installs, which would align perfectly with Vanguard’s requirements.
For gamers, the choice is becoming stark: embrace Windows 11’s modern security stack or accept the older, always-on anti-cheat model. As one WindowsNews.ai forum member put it, “I finally feel like my PC is my own when I’m not gaming, but now I’m eyeing that upgrade to a TPM-enabled motherboard sooner than I thought.” Riot’s engineering achievement is real, but it comes with a hardware reality check that not all players are ready to stomach.