Riot Games is adding an on-demand mode for its Vanguard anti-cheat software, allowing League of Legends and VALORANT players to run the kernel-level driver only while playing—if their Windows 11 25H2 PC passes a hardware trust check. The change marks a significant pivot for Vanguard, which since its 2020 launch has operated as an always-on service loading at boot to maintain integrity from the moment a system starts. The new mode, slated to debut on systems meeting strict Windows 11 security requirements, uses Trust Platform Module (TPM) attestation to verify the platform’s trustworthiness before granting the option to disable Vanguard outside of gameplay. It is a direct response to long-standing community friction over resource consumption, privacy concerns, and the invasive nature of kernel anti-cheat.

Riot has confirmed the feature will first become available on Windows 11 25H2, the next feature update that builds on 24H2’s security foundations. Users must have a TPM 2.0 chip, Secure Boot enabled, and a CPU supporting virtualization-based security. Microsoft’s hardware-backed attestation mechanism then validates the boot chain, hypervisor, and OS integrity before Vanguard can toggle into an on-demand state. If the system fails any check, Vanguard reverts to its classic always-on mode, ensuring no security gap.

Vanguard’s Kernel Roots and the Always-On Debate

Riot Vanguard debuted with VALORANT in 2020 as a necessary evil in the fight against sophisticated cheats. Unlike traditional anti-cheat that launches with the game, Vanguard’s kernel driver (vgk.sys) starts with Windows, granting it deep visibility into system processes before any user-mode applications load. This allows it to detect cheat loaders that hide from conventional scanners. However, the driver runs continuously, consuming CPU cycles and memory even when no Riot game is active. Players on low-end hardware or those concerned about kernel-level access quickly voiced frustration.

The controversy intensified when security researchers noted that a kernel driver theoretically becomes a privileged attack surface. While Riot has consistently patched vulnerabilities and offers a bounty program, skepticism remained. Over the years, the company added a tray icon to unload Vanguard temporarily, but the process required a reboot to re-enable—hardly convenient. The on-demand mode directly addresses this by making Vanguard active only during gameplay, then unloading it completely when the game closes, all without a restart.

How the On-Demand Mode Works

The new mode relies on Windows 11 25H2’s enhanced kernel trust framework. When a user opts in, Vanguard performs an initial hardware attestation: the TPM 2.0 securely reports the system’s measured boot state, including firmware, bootloader, and OS kernel integrity, to a Riot-controlled attestation service. This service, leveraging Microsoft’s cloud-based attestation APIs, verifies that the platform is unmodified and running a trusted configuration. If the attestation passes, Vanguard enters on-demand mode. The next time the game launches, Vanguard loads dynamically and unloads on exit—no reboot needed.

Crucially, this process doesn’t send any personal data; TPM attestation works with cryptographic hashes, not user content. Riot emphasizes that the attestation payload contains only platform integrity measurements, similar to how Windows Hello uses TPM for biometric verification. The handshake between the TPM, Windows Secure Kernel, and Riot’s backend ensures the environment hasn’t been tampered with—from the UEFI firmware up to the hypervisor (if Hyper-V or Virtualization-Based Security is active).

Windows 11 25H2 introduces kernel-mode attestation improvements that make this seamless. Microsoft has been gradually expanding the Windows Hardware Compatibility Program to mandate features like Secure Boot, TPM 2.0, and memory integrity (HVCI) for new devices. With 25H2, the attestation protocol gains support for dynamic root of trust measurements (DRTM), allowing Vanguard to re-validate the system each time the driver loads, not just at boot. This drastically reduces the risk of a late-load cheat slipping through.

Benefits for Players and System Performance

For years, players with older or resource-constrained PCs complained that Vanguard’s background overhead hurt everyday performance. Benchmarks by third parties have shown that Vanguard can consume 50–100 MB of RAM and a measurable amount of CPU time, especially on systems with slower storage. In on-demand mode, that overhead disappears when not gaming. Users can keep Vanguard installed without feeling its presence during work, browsing, or other tasks—a direct win for user experience.

For competitive integrity, the on-demand mode doesn’t weaken anti-cheat effectiveness when the game is running. Because the attestation chain proves the platform was clean before Vanguard loaded, and the driver can still monitor kernel events during gameplay, cheats that attempt to hide in memory or inject code are still detectable. Riot states that the attestation requirement effectively raises the bar for cheat developers, as they would need to compromise the TPM or the attestation service itself—an extremely high-effort attack.

Potential Drawbacks and Community Skepticism

Not all Windows 11 PCs will qualify. TPM 2.0 has been mandatory since Windows 11’s launch, but many desktop motherboards have a TPM header without a module installed; some laptop owners may have disabled Secure Boot for compatibility. The 25H2 requirement also locks out Windows 10 users—who still make up a significant portion of the player base—until they upgrade. Riot hasn’t confirmed if the feature will ever be backported; for now, only the latest Windows 11 build is eligible.

Privacy advocates remain cautious, even though no user data is transmitted during attestation. The mere existence of a remote attestation step has raised eyebrows, with some forums likening it to a “phone home” mechanism. However, tech-savvy users note that TPM attestation is a standard enterprise practice, used by companies to ensure devices are compliant before accessing corporate networks. The attack surface is limited to verifying hashes, not inspecting user files.

A more practical concern is false negatives: if a system fails attestation due to a benign configuration change (like a recent driver update not yet whitelisted), the user loses on-demand mode until the platform is re-validated. Riot will need a smooth process for updating trust measurements to avoid alienating legitimate players.

How Riot’s Move Influences the Anti-Cheat Landscape

Vanguard’s always-on model sparked a broader industry conversation about kernel access. Other anti-cheat solutions, such as Easy Anti-Cheat and BattlEye, also use kernel drivers but typically load with the game and unload when it closes. Vanguard’s shift toward an on-demand approach could pressure competitors to adopt similar hardware-based trust mechanisms, especially as Microsoft reinforces its security baseline.

Microsoft itself has a stake in this evolution. The company has been discouraging third-party kernel drivers because they compromise system stability and security. By providing robust attestation APIs in Windows 11 25H2, Microsoft essentially offers a way for anti-cheat developers to achieve the same level of trust without permanently running in kernel mode. This aligns with its long-term vision of moving security features out of the kernel and into user-mode protected services, like the Secure Enclave.

For Riot, the on-demand mode is also a commercial move. A less intrusive Vanguard could attract new players who hesitated to install kernel-level software. With VALORANT expanding to consoles and mobile, where anti-cheat is handled differently, PC player sentiment matters. Offering choice—always-on or on-demand—keeps the core competitive experience while respecting user autonomy.

Real-World Trials and Early Feedback

Although the feature is still in limited testing, leaks from insider builds of Windows 11 25H2 suggest the on-demand mode integrates through a Vanguard system tray update. A toggle labeled “Vanguard on-demand (requires attestation)” appears when the system passes all checks. Clicking it initiates the attestation and confirms the switch. From that point, Vanguard only runs when the game client is active. Early testers on the VALORANT subreddit report that the transition is seamless; the game launcher triggers Vanguard loading in under two seconds, with no impact on match start times.

Some power users have already expressed interest in using the attestation log to verify what exactly is being checked. Riot has promised a transparency report detailing the attestation payload, though no release date is set. Enthusiasts hope for an open validation tool similar to Microsoft’s “Windows Defender System Guard” logs.

What’s Next for Vanguard and Windows Security

The on-demand mode will likely roll out alongside the public release of Windows 11 25H2, expected later this year. Riot plans a staggered deployment, starting with VALORANT and League of Legends in North America and Europe, with other regions following. The feature will require a game client update, a Vanguard update, and the specific Windows build.

Looking ahead, Riot could expand this attestation model to more than just the boot chain. Future iterations might incorporate runtime integrity checks using Microsoft’s “System Guard Runtime Attestation,” which can continuously validate critical system components during gameplay. This would allow detection of cheats that attempt to unhook kernel callbacks mid-session.

For Windows users, the Vanguard change is another sign of Microsoft’s security-first direction. Windows 11 25H2 isn’t just about anti-cheat; the same attestation APIs are used by Windows Hello for Business, BitLocker, and corporate VPN clients. The convergence means stronger gaming security without sacrificing general-purpose computing.

Conclusion: A Pragmatic Evolution

Riot Vanguard’s on-demand mode is a pragmatic compromise: it retains the robust kernel-level enforcement that competitive shooters demand, while giving users control over when that driver is active. By tying the feature to Windows 11 25H2 and TPM attestation, Riot ensures that only systems with a verified, uncompromised boot chain can relax the always-on requirement—a clever use of hardware-rooted trust.

Skeptics will remain, and the hardware requirements will exclude many. But for those on modern Windows 11 PCs, the change is a net positive. It reduces resource drain, respects user consent, and may even nudge the industry toward more intelligent anti-cheat architectures. As Windows evolves toward a hardened-by-default posture, tools like Vanguard will increasingly leverage silicon-level security, and the on-demand mode is merely the first visible outcome.