Riot Vanguard’s on-demand anti-cheat cuts startup load with Windows 11 updates

Riot Games has moved to address long-standing criticisms of its Vanguard anti-cheat by introducing an on-demand mode that eliminates the kernel driver’s automatic loading at Windows startup. The new approach, called Vanguard On-Demand, activates the driver only when a Riot game launches and removes it on exit, a shift made possible by a recent Windows 11 feature that tracks driver activity even when the software is idle.

The feature requires a tightly defined hardware and firmware configuration to ensure security integrity. Players must have UEFI Secure Boot, TPM 2.0, Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), and IOMMU enabled. Phillip Koskinas, Riot’s lead for anti-cheat systems, noted that roughly 35% of users already meet these criteria, while about 3% are running incompatible hardware. Riot refers to this configuration as the Vanguard Pre-Check, a set of security requirements that many prebuilt PCs and laptops shipped in recent years already satisfy.

How Vanguard On-Demand works and who qualifies

The technical foundation for this change lies in Microsoft’s Runtime Driver Attestation Report, a feature introduced with Windows 11 version 25H2. This report maintains a continuous log of all loaded drivers since system boot, stored as a tamper-resistant hash in the TPM. When Vanguard starts in on-demand mode, it verifies that no vulnerable or unauthorized drivers were loaded while the anti-cheat was inactive. This verification closes a critical security gap that previously justified the always-on design.

However, the feature is not backward compatible. Older versions of Windows lack the necessary reporting hooks, making Windows 11 25H2 a strict requirement. Users with compatible hardware must manually enable the security stack through their system’s UEFI firmware settings, as Vanguard cannot automate these toggles. Riot emphasizes that the process is optional and does not force changes on existing users.

Security trade-offs and performance considerations

For many gamers, the most challenging components of Riot’s security checklist are VBS and HVCI. These technologies isolate core kernel functions within hardware-enforced enclaves, which can introduce measurable performance overhead. Benchmarks have shown small but consistent frame rate reductions when these features are enabled, a trade-off that has deterred some users. Additionally, activating VBS triggers Microsoft’s vulnerable driver blocklist, which may disable older peripheral drivers and cause compatibility issues with established hardware setups.

Riot’s decision to make participation optional reflects an understanding of these trade-offs. "We’re not making anyone change anything," Koskinas stated, underscoring the company’s commitment to gradual adoption. For users who prioritize performance or lack compatible hardware, the traditional always-on Vanguard mode remains available without modification.

The road ahead for Vanguard and anti-cheat standards

Riot’s shift aligns with broader industry trends toward more flexible and transparent anti-cheat systems. The company has historically pushed for stricter security standards, including TPM 2.0 and Secure Boot requirements introduced in 2020. While these measures have strengthened protection against cheat developers, they have also sparked controversy, particularly in 2024 when League of Legends adopted similar policies. Recent incidents, such as a pre-boot motherboard flaw across major vendors and a Vanguard update that bricked certain cheat hardware, highlight the ongoing tension between security and user experience.

Looking forward, the success of Vanguard On-Demand will depend on two factors: the pace at which users adopt the required security stack and Microsoft’s continued refinement of its driver attestation tools. As the ecosystem matures, Riot may find it easier to balance protection and performance, but for now, the onus remains on players to evaluate whether the trade-offs are worth the enhanced stability.