Riot Games is changing how its Vanguard anti-cheat runs on PCs, pulling back from its always-on behavior and limiting when it's active on players' machines. With a new update, Vanguard will no longer automatically start when a PC boots – at least not for everyone. Instead, it can run only while a game is active and shuts down when play ends. That brings Riot in line with other kernel-level anti-cheat systems that typically run only while you're playing instead of staying in the background all the time.
Vanguard's behavior has been under scrutiny since it launched in 2020, so the change isn't a minor one. The software runs at the kernel level, giving it broad access to a system's inner workings. That access helps catch advanced cheats, but it also means Vanguard ran with elevated privileges and was constantly running. For some users, that combination has been a sticking point.
Riot is not abandoning that architecture, but it is changing how and when it's used. In announcing the update, Riot's anti-cheat chief Phillip Koskinas made clear the change only applies to PCs that meet specific security requirements.
"Starting later today, the universally beloved anti-cheat product, Vanguard, will begin to support on-demand sessions from all sufficiently secured PC devices," Koskinas sarcastically wrote.
The key phrase there is "sufficiently secured." Vanguard will only step back from its always-on behavior if a system meets a defined set of security requirements. Otherwise, it will continue to run as it has.
Koskinas explained that "on-demand" means Vanguard's driver will no longer launch when Windows starts, but only on systems that meet the company's modern security requirements. Those systems rely on pre-boot security mechanisms and Windows' built-in protections, allowing Vanguard to shut down when it's no longer needed. He jokingly added that users would even get a few pixels of taskbar space back.
Those pre-boot and system-level protections show Riot is tying Vanguard's behavior more closely to the security features built into modern PCs. Instead of relying solely on its own persistent monitoring, the company is leaning more heavily on Windows' built-in safeguards, including UEFI Secure Boot, TPM 2.0, virtualization-based security, hypervisor-protected code integrity, and IOMMU.
In practical terms, Riot is trading constant oversight for stronger baseline security. By relying on the platform's built-in protections to secure the boot process and isolate sensitive operations, Vanguard no longer needs to remain active at all times to maintain system integrity.
Not every player will see the benefit right away. Riot estimates that about 35% of its users already meet the requirements for the new on-demand mode, and the option will appear automatically for them after the update. Everyone else faces a more involved path. The requirements include running Windows 11 25H2 or later and enabling several security features that are often turned off by default. Some of those settings – particularly Secure Boot or TPM – may require changes in the system BIOS, which can be unfamiliar territory for less technical users.
Even so, the direction is clear. Riot is keeping its kernel-level approach intact while dialing back how intrusive it feels in day-to-day use. The software still operates with deep system access when active, but it no longer has to be a constant presence.