Riot Games has made a significant announcement regarding its Vanguard anti-cheat system, introducing a new feature that allows players to control when the software loads. This change marks the end of the long-standing practice of having the kernel driver load at Windows start-up, a behavior that has been in place since 2020.
Vanguard On-Demand: A New Era for Players
The newly introduced Vanguard On-Demand mode will only activate the driver when a Riot game is launched, subsequently unloading it upon exit. This advancement is made possible by a feature in Windows 11 25H2, which records driver activity even while Vanguard remains dormant. However, this functionality is contingent upon specific hardware configurations, including UEFI Secure Boot, TPM 2.0, Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), and IOMMU being enabled.
Phillip Koskinas, Riot’s anti-cheat lead, indicated that approximately 35% of players currently meet these hardware requirements, while around 3% are using incompatible systems. To assist players, Riot has established a qualifying checklist termed Vanguard Pre-Check. Many prebuilt PCs and laptops sold in recent years come equipped with these features enabled by default. Koskinas estimates that the percentage of fully secured machines is around 34.33% and is increasing by one to two percentage points each month.
For those whose systems do not meet the criteria, manual adjustments will be necessary. Most of these settings are found within UEFI, which means players may need to navigate into their BIOS to enable them if they wish to take advantage of the new on-demand feature.
Starting later today, Vanguard will be able to run in on-demand mode for players on Windows 11. You just need to enable some optional security features for your motherboard, and your taskbar can have 256 of its pixels back. Take it away, @deteccphilippe. pic.twitter.com/hBytOMKTjmJune 24, 2026
At the core of this development is Microsoft’s Runtime Driver Attestation Report, a collaboration with the Xbox OS Security team, which is new to Windows 11 25H2. This report meticulously tracks every driver loaded since boot, maintaining a running, append-only hash stored in the TPM. This method mirrors the measured-boot approach already utilized by the Windows Boot Manager for boot-start drivers. As a result, Vanguard can verify at launch that no vulnerable drivers have infiltrated the system while it was inactive, addressing the security concerns that necessitated the previous always-on design.
Riot Games has been steadfast in its commitment to a robust security framework, having mandated TPM 2.0 and Secure Boot on Windows 11 since 2020. The company faced criticism when these requirements were applied to League of Legends in 2024. In December, it flagged a pre-boot motherboard flaw affecting several major manufacturers, including Asus, Gigabyte, MSI, and ASRock. A recent Vanguard update also targeted DMA cheat hardware, likely linked to stricter enforcement of IOMMU.
However, enabling VBS and HVCI may pose challenges for users eager to toggle Vanguard’s anti-cheat feature. Both technologies operate parts of the kernel within a hardware-isolated enclave, and benchmarks have consistently shown a slight yet noticeable impact on frame rates, leading many gamers to disable them. Additionally, activating VBS triggers Microsoft’s vulnerable driver blocklist, which could disable older peripheral drivers.
