Riot Games dropped a major update for its anti-cheat arsenal on June 24, 2026, announcing that Vanguard will finally stop hogging system resources from the moment you boot your PC. On Windows 11 version 25H2, the kernel-level driver that protects Valorant and League of Legends from cheaters will now load on demand—only when you actually launch the game. The change ends years of griping from players about unwanted startup bloat, while Riot insists the new architecture makes PC checks even more rigorous once you’re in a match.
A Kernel-Level Legacy That Divided Gamers
Since its introduction in 2020 with Valorant, Vanguard has been one of the most controversial pieces of gaming software. Unlike most anti-cheat solutions that run as user-mode services, Vanguard operates a kernel-mode driver that starts with Windows and runs continuously. This “always-on” design gave it deep visibility into the system to detect even the most sophisticated cheats that manipulate the operating system at its core. But it also drew fire from privacy advocates and gamers who disliked having a third-party driver permanently embedded in their OS’s highest privilege ring.
For years, Riot defended the architecture as essential to maintaining competitive integrity. Kernel-level access allows Vanguard to monitor system calls, detect memory tampering, and block unsigned driver loading—all techniques cheaters exploit. Compromises like a “tray icon to disable” or “unload after exiting the game” were rejected because they left windows of vulnerability. The result was a polarizing status quo: serious players accepted the trade-off, while critics fumed on forums about performance hits and surveillance overreach.
Windows 11 25H2 Unlocks a New Model
The turning point came with Windows 11 version 25H2, released earlier in 2026. This update brought substantial enhancements to Virtualization-Based Security (VBS) and the Hypervisor-Protected Code Integrity (HVCI) stack. Microsoft’s engineering allowed trusted kernel-mode drivers to be invoked and revoked dynamically through secure attestation protocols that tie into the system’s TPM 2.0 chip and Secure Boot chain. In practice, an anti-cheat driver can now be loaded just in time, its integrity verified against a known good state, and then unloaded cleanly without leaving the kernel exposed.
Riot’s engineers spent close to 18 months collaborating with Microsoft to adapt Vanguard to this model. The on-demand Vanguard, codenamed internally as “Vanguard Next,” leverages a new Windows kernel API—MmLoadSystemImageEx—that supports signature-enforced, page-locked driver loading with session-based lifetimes. When a player launches a Vanguard-protected game, the Riot client signals the Windows hypervisor to instantiate the Vanguard driver within a protected memory enclave. The hypervisor seals it from tampering, and it can inspect the game process and kernel state without a permanent installation.
Once the game closes, the hypervisor tears down the enclave and Vanguard exits the kernel entirely. Curiously, however, Riot’s blog post emphasized that the driver doesn’t simply disappear: Windows 11 25H2’s fast driver cache and atomic integrity checks mean a subsequent launch is nearly instantaneous. “It’s like having a security guard who clocks in the moment you show up and clocks out when you leave, but never forgets the building layout,” quipped a Riot engineer during a preview call.
Faster Boots, Cooler Laptops
The most immediately obvious benefit is boot time. With Vanguard no longer in the startup chain, Windows loading speeds improve—especially on devices with slower storage. Riot’s internal benchmarks on a mid-range NVMe SSD showed a 2–4 second reduction in bare-metal boot time; on SATA SSDs the gain stretched to 7 seconds. That might seem trivial, but gamers who dual-boot or frequently restart benefit cumulatively. More importantly, Vanguard’s missing kernel thread means fewer background CPU cycles consumed at idle. On laptops, this translates to tangible battery life savings during non-gaming tasks.
The change also resolves long-standing conflicts with other kernel-level software. System utilities, hardware monitoring tools, and even some VPNs have historically clashed with Vanguard’s continuous presence. By eliminating the driver when not gaming, Riot sidesteps compatibility headaches that often forced users to choose between Vanguard and essential software.
More Secure PC Checks—How?
The headline promise of “more secure PC checks” sounds paradoxical when you’re removing an always-on sentinel. But Riot argues the new architecture actually tightens the noose around cheaters. The on-demand driver operates within a hardware-isolated environment that is invisible even to an administrator. Traditional cheats that tried to evade Vanguard by loading before it or interfering with its initialization now face a driver that emerges fully formed from the hypervisor with no exposed boot-phase vulnerability.
Furthermore, Vanguard Next adds an enhanced trust score system. On first launch after installation, the driver performs an exhaustive system audit—certifying the OS’s integrity via TPM measurements, scanning loaded modules, and taking a snapshot of the PCI configuration space. This “birth certificate” is stored in the TPM’s non-volatile storage and compared on every subsequent launch. Any deviation raises a flag and can trigger re-verification or even a competitive cooldown. Riot says this mechanism makes it far harder for cheat developers to maintain persistent rootkits that survive across reboots.
Periodic, lightweight checks also occur during gameplay. Instead of the driver constantly polling, it uses Windows 11 25H2’s kernel object callback notifications to be woken only when specific events (like process creation, thread injection, or memory region access by foreign threads) are detected. This event-driven model actually increases sensitivity to certain exploit techniques that previously relied on gaps between Vanguard’s active scans.
How Gamers React
Early feedback from the Riot community in the Windows forum echo chamber has been cautiously optimistic. Many users who had previously bypassed Vanguard by disabling it in device manager or using dual-boot setups are now willing to give it a try. “Finally, I don’t have to decide between playing Valorant and having a clean system tray,” one Reddit user posted minutes after the announcement. Others praised the technical sophistication, noting the reliance on Windows 11 25H2’s hypervisor is a wiser use of modern hardware than simply bolting on a startup driver.
Skeptics remain. Privacy advocates point out that the on-demand model still loads a kernel driver with extensive privileges, and the “birth certificate” implies a persistent identifier that could be used for tracking. Riot responded that all measurements are stored locally within the TPM and are never transmitted; they are used only for integrity verification. Additionally, the new driver’s behavior under HVCI means its memory is encrypted and isolated, making it far harder for malware to piggyback—a security boon that applies to the entire OS even when Vanguard isn’t running.
Potential Downsides and the Hardware Tax
Running Vanguard within a hypervisor enclave is not free. Initial testing shows a slight increase in CPU usage during the loading phase—typically 1–3% on modern 8-core processors—as the hypervisor allocates and verifies the driver image. On lower-end CPUs, this could translate to a marginally longer match load time. However, because the driver is unloaded after gaming, the overall system performance profile is net positive for most users.
Also, hardware compatibility is no longer optional. The on-demand mode demands a TPM 2.0 module and HVCI support. While all Windows 11 certified PCs ship with these, some custom-built rigs or older motherboards might lack a firmware TPM or have faulty HVCI implementations. Riot has published a system check tool to diagnose readiness. Machines that don’t meet the bar will revert to the legacy persistent driver, but they may also face future restrictions—Riot hinted that in 2027, competitive matchmaking might require the on-demand model.
Privacy hawks have voiced concern over the “birth certificate” stored in TPM. Because it takes a system snapshot, it could theoretically be used to fingerprint a PC. Riot insists the data never leaves the local TPM and is erased if Vanguard is uninstalled. They also note that Windows 11 25H2’s general TPM measurements already create a system identity, so Vanguard’s addition is not unique. Still, the debate over anti-cheat as a quasi-surveillance tool is far from settled.
The Larger Trend: Kernel Anti-Cheat Goes Hypervisor
Riot’s move aligns with an industry pivot toward hypervisor-based security for gaming. EasyAntiCheat and BattlEye have both explored similar concepts with Microsoft’s Game Integrity platform, but Vanguard is the first major anti-cheat to ship a fully on-demand kernel driver that unloads when not in use. Analysts see this as a potential template for the future, as game engines grapple with the rising sophistication of kernel-level cheats without alienating their player bases.
Windows 11 25H2 is becoming the new baseline for PC gaming security. Its mandatory TPM 2.0, Secure Boot, and VBS capabilities were originally marketed for enterprise data protection. But Riot’s adoption shows how these features can be co-opted for consumer trust. In fact, Riot revealed that Vanguard Next will refuse to run if HVCI is disabled or if the system has a boot configuration that circumvents Secure Boot—closing a loophole that cheaters commonly exploited.
What About Players on Older Windows Versions?
For now, the on-demand feature is exclusive to Windows 11 25H2. Users on Windows 10 or earlier Windows 11 builds will continue to see Vanguard boot with the system. Riot hinted that a backport to Windows 11 24H2 is under investigation but not guaranteed because it lacks the necessary hypervisor primitives. Given that Windows 10 approaches its October 2025 end of support, the vast majority of gamers are expected to be on Windows 11 25H2 within a year.
This divergence means that as competitive seasons advance, players on 25H2 might enjoy a smoother experience and potentially faster match acceptance times, since the on-demand loading eliminates the need for the Vanguard service to be running continuously. Meanwhile, those on older builds will face the status quo—which might gently prod them toward upgrading.
The Competitive Landscape and What It Means for eSports
Professional players and tournament organizers have welcomed the change. At LAN events, where PCs are frequently rebooted and shared, eliminating a boot-time driver reduces variability and setup time. Riot’s eSports team issued a statement that all official Valorant Champions Tour events will run on Windows 11 25H2 with Vanguard Next, setting a precedent.
This move also raises the bar for competing anti-cheat solutions. As more games adopt kernel anti-cheat, the pressure to be always-on will be replaced by the ability to be perfectly ephemeral. It’s a natural evolution: security that is both stronger and less intrusive.
Practical Steps for Gamers
After the update rolls out—expected in the Vanguard 8.7 patch on June 30, 2026—Windows 11 25H2 users will need to take no action. The Riot client will detect the OS version and automatically switch Vanguard to on-demand mode. If you’re still seeing VGC.exe in your startup applications, you can safely ignore it; the service will hibernate.
For the extra cautious, Riot provided a troubleshooting guide: if the on-demand driver fails to load, the system falls back to a secure user-mode analyzer that may restrict gameplay to unrated modes. To ensure full competitive access, check that TPM 2.0 is enabled and HVCI is on in Windows Security > Device Security. A small percentage of DIY PCs might need a BIOS update to enable these features, a step that is now mandatory for Vanguard Next.
Looking Ahead: A Cheat-Free Future?
Riot’s announcement doesn’t promise a cheat-free utopia—no anti-cheat can deliver that. But by shifting from a boot-time persistent model to a hypervisor-verified, on-demand driver, the company has removed the most common complaint against its security approach without watering down protection. It’s a technical feat that required Microsoft to evolve its kernel APIs and Riot to abandon the comfort of an always-on guardian.
Gamers win faster boot times and a lighter PC outside of gaming; security purists win stronger isolation and tamper resistance; and Microsoft wins a high-profile poster child for Windows 11’s security-first design. The only losers are cheat developers, who now face a driver that materializes out of thin air, fortified by hardware, and disappears the moment you close the game. That’s a battle that will keep them guessing—and hopefully keep our ranked matches fair.