For months, Valorant enthusiasts running Windows 11 have been ambushed by a frustrating error: VAN9003, accompanied by the message “This build of Vanguard is out of compliance with current system settings.” This isn't a transient bug but a deliberate consequence of the operating system’s tightened security stance colliding with Riot Games’ kernel-level anti-cheat driver, Vanguard. The result: a perfect storm of platform configuration, BIOS fiddling, and driver reinstalls that has sent gamers scurrying to forums and support pages.

The error crystallized in late 2022 and persisted through 2024, hitting systems after routine Windows updates, BIOS changes, or seemingly at random. Yet, through a combination of official guidance from Riot and crowdsourced community expertise, a reliable set of remedies has emerged. Enabling Secure Boot and TPM 2.0, ensuring the VGC service runs, and performing a clean reinstall of Vanguard now solve most cases. This article dissects the technical underpinnings of VAN9003, chronicles its timeline, and provides a step-by-step playbook for fixing it, while highlighting the broader implications for platform security and application compatibility.

Background: Why Vanguard, Windows 11, and VAN9003 Intersect

Vanguard is an anti-cheat system that operates at the kernel level, embedding itself deeply into the Windows boot and kernel lifecycle to detect tampering from the earliest moments of system startup. Unlike conventional anti-cheat tools that run in user mode, Vanguard loads before many other drivers, giving it unparalleled visibility into system integrity. Windows 11, by contrast, raised the security bar significantly over its predecessors by mandating UEFI, Secure Boot, and TPM 2.0, along with pushing virtualization-based security features. These requirements are not arbitrary; they form a trusted foundation that verifies every piece of code during the boot process.

Vanguard’s attestation logic now relies on this secure boot chain to verify that the system environment hasn’t been compromised before allowing Valorant to launch. When the OS or firmware reports a state that Vanguard deems untrustworthy—Secure Boot disabled, UEFI/CSM conflicts, or missing TPM attestation—the anti-cheat refuses to load, triggering error codes like VAN9001, VAN9003, or VAN9090. Riot’s support documentation explicitly ties VAN9003 to Secure Boot not being enabled on Windows 11. This deliberate coupling means any change in firmware settings, a Windows update that touches the boot chain, or an OEM BIOS quirk can break the handshake, producing the out-of-compliance message. Community logs show this pattern repeating across motherboards from Gigabyte, ASUS, MSI, and others during various update waves.

Technical Anatomy: What VAN9003 Actually Checks

To understand why VAN9003 fires on many systems, it’s essential to dissect the checks Vanguard and Windows perform:

  • Secure Boot: UEFI Secure Boot verifies the signatures of boot components, blocking unsigned or tampered bootloaders and drivers. Vanguard expects Secure Boot to be active on Windows 11. If msinfo32 reports Secure Boot as “Off” or “Unsupported,” Vanguard may block.
  • TPM 2.0 / Attestation: The Trusted Platform Module provides hardware attestation and key protection. Windows 11 leverages TPM for several security features, and Vanguard’s recent builds can depend on TPM state to verify the platform’s integrity. A disabled or misreported TPM often leads to errors like VAN9090.
  • Boot Mode (UEFI vs Legacy/CSM): Windows 11 requires UEFI; a system in legacy BIOS/CSM mode may lack Secure Boot. Toggling between UEFI/CSM and Secure Boot modes, or toggling Secure Boot between “Custom” and “Standard,” has repeatedly been correlated with resolving or creating VAN9003 errors.
  • Vanguard Components and Services: Vanguard installs kernel drivers and the VGC service (vgc.exe). If the VGC startup type is incorrect or the driver is corrupted—often after an OS update—Valorant fails. Many users fix the issue by reinstalling Vanguard or setting VGC to Automatic and restarting.
  • Windows Update/Firmware Interactions: Cumulative updates can alter how Secure Boot and TPM are reported. Some Windows updates have spiked Vanguard compatibility issues; in a few cases, Microsoft issued out-of-band fixes. The relationship is path-dependent: one system recovers after a restart while another still needs a BIOS or Vanguard reinstallation.

Timeline and Root Causes

The VAN9003 saga unfolded over a period marked by specific triggers and community responses:

  • Late 2022–2023: Early reports emerged as users upgraded to Windows 11 or changed BIOS settings. The initial fix—enabling Secure Boot and TPM, plus ensuring UEFI mode—was circulated rapidly on forums.
  • 2023–2024: As Windows 11 feature updates and monthly cumulative updates rolled out, more users encountered VAN9003 even with Secure Boot and TPM enabled. The distinguishing factor often came down to how motherboard firmware handled Secure Boot modes (Standard vs Custom) and whether the VGC service started automatically. Specific updates, such as certain Windows 11 22H2 cumulative patches, were frequently cited in community spikes.
  • 2024 onward: Riot consolidated official troubleshooting guidance, walking users through msinfo32 and tpm.msc checks, BIOS configuration, and Vanguard reinstalls. Independent tech outlets and community threads documented the now-standard fixes, reinforcing the importance of Secure Boot, TPM, and service management.

Critically, not every VAN9003 instance is identical. Some stem from corrupted Vanguard installations, service permission issues, or conflicting third-party drivers. When available, Riot’s diagnostic tools and support logs help pinpoint the exact cause.

Verified Fixes: A Step-by-Step Checklist

Drawing from Riot’s official guidance and corroborated by extensive community testing, the following steps resolve the majority of VAN9003 cases. Follow them in order, stopping once the error clears. Caution: Do not edit BIOS settings unless you are comfortable and have backups.

1. Quick Windows System State Verification

  • Press Windows key, type msinfo32, and press Enter. Confirm BIOS Mode shows UEFI and Secure Boot State shows On.
  • Press Windows key, type tpm.msc, and press Enter. Verify Specification Version is 2.0 and Status reads The TPM is ready for use.

2. Confirm VGC Service State

  • Open services.msc, locate VGC, right-click → Properties. Set Startup type to Automatic, start the service, then reboot. Many users report immediate resolution after this step.

3. Toggle Secure Boot Mode in UEFI (If Secure Boot Shows On but Error Persists)

  • Some motherboards (notably Gigabyte, ASUS, MSI) require toggling Secure Boot Mode from Standard to Custom and back, or temporarily disabling CSM (Compatibility Support Module), then rebooting. This odd BIOS dance clears OEM firmware states that misreport Secure Boot. Record your current settings before changing.

4. Clean Reinstall Vanguard

  • Uninstall Riot Vanguard from Apps & Features, reboot, then launch Valorant to trigger a fresh Vanguard install. This replaces corrupted drivers and resets kernel components. Persistent cases often clear after this.

5. Repair OS Files

  • Open an elevated Command Prompt and run:
    sfc /scannow DISM /Online /Cleanup-Image /RestoreHealth
    Reboot afterward. These tools fix system file corruption that might cause inconsistent reporting of Secure Boot.

6. Update BIOS/UEFI and Windows

  • Apply the latest motherboard firmware and Windows cumulative updates. Firmware updates frequently include fixes for TPM/Secure Boot reporting and UEFI compatibility. After updating, re-verify BIOS settings and reinstall Vanguard if needed.

7. If All Else Fails: Collect Logs and Contact Riot Support

  • Use Riot’s diagnostic/repair tools, gather system info (motherboard model, BIOS version, Riot log bundles), and submit a ticket. Riot can analyze attestation logs for complex driver/firmware mismatches.

Practical Scenarios: Common User Cases and Their Fixes

  • Scenario A: Secure Boot Shows “Off” in msinfo32
    Enter UEFI/BIOS, enable Secure Boot, set mode to Standard, disable CSM if present, save and reboot. Confirm msinfo32 now shows Secure Boot as On. Reinstall Vanguard if Valorant still fails.

  • Scenario B: Secure Boot and TPM Are Enabled but VAN9003 Persists
    First, set VGC to Automatic and start the service. If that doesn’t work, reinstall Vanguard and run the Riot Repair Tool as admin. Then try toggling Secure Boot Mode (Custom ↔ Standard) with reboot cycles. Community reports indicate a high success rate with this sequence.

  • Scenario C: Error Appears After a Windows Cumulative Update
    Check for known regressions on forums and vendor sites. Reinstall Vanguard and update the motherboard BIOS. If the update is known to cause issues, look for out-of-band fixes from Microsoft or your motherboard vendor before disabling security features.

Risks, Tradeoffs, and Important Cautions

  • Never disable Secure Boot or TPM as a shortcut. These protections guard against boot-level tampering. Turning them off weakens system security and is not a sustainable fix.
  • BIOS changes carry risk. Incorrectly editing UEFI settings or flashing firmware can brick a system. Always back up current settings and follow OEM instructions; seek professional help if unsure.
  • Vanguard operates at kernel level, which raises privacy considerations for some users. While those concerns are separate from fixing VAN9003, they are real and widely discussed. Removing Vanguard prevents Valorant from running; reinstalling is mandatory to play.
  • Not every VAN9003 case is about Secure Boot/TPM. Corrupted Vanguard installs, service permissions, or third-party drivers can also trigger the error. If standard steps fail, collect logs for deeper analysis.

Why This Matters Beyond Gamers: Platform and Vendor Implications

The VAN9003 incident is a microcosm of the tension between platform hardening and application compatibility. Windows 11’s stronger security posture is a win for the ecosystem, but it creates friction for software that relies on low-level drivers and attestation. Enterprises and IT administrators should take note:

  • Update testing and pilot rings are critical. Cumulative updates or servicing stack changes can inadvertently affect how firmware or boot components report their state. Thorough testing on representative hardware is essential.
  • Clear vendor communication reduces support burdens. Motherboard makers that document Secure Boot and TPM configuration specifics save users and support teams hours of troubleshooting. The inconsistent behavior across OEMs amplified confusion.
  • Coordinated release testing between anti-cheat teams and OS vendors is necessary. Kernel-level software demands close collaboration with OS vendors during feature updates. Ad hoc coordination leads to these exact scenarios.

Conclusion: A Case Study in Modern Platform Security

VAN9003 was never a single, exotic bug; it was the visible symptom of a deeper clash between Windows 11’s security architecture, real-world firmware diversity, and frequent OS changes. The fix checklist—verify Secure Boot and TPM, ensure VGC runs, reinstall Vanguard, update firmware and Windows—resolves the vast majority of cases. Yet the episode underscores the fragility that occurs when kernel-level components must align with platform security mechanisms across hundreds of OEM firmware variants.

For players, the path forward is methodical troubleshooting, avoiding security-weakening shortcuts. For the industry, the call is for tighter integration testing and clearer documentation. When the boot chain becomes the battleground, fixing gaming errors becomes an exercise in system security hygiene—a lesson that resonates far beyond Valorant.