What Is Microsoft Remote Attestation?
Microsoft Remote Attestation is a Windows platform feature that lets a remote server cryptographically verify a client device''s identity, boot state, and configuration using the TPM 2.0 endorsement key (EK) certificate plus signed boot-log measurements. The TPM signs an attestation quote with a hardware-protected key, the server validates it against the TPM vendor''s CA, and the result is a non-spoofable answer to "is this machine in a trusted state?" Adopted by Call of Duty Black Ops 7 and increasingly by AAA anti-cheats in 2026.
Remote Attestation is the technical foundation for the next phase of consumer anti-cheat. It moves the trust boundary from "the anti-cheat driver running on the box" to "the cryptographic signature the TPM produces, validated by a server." Microsoft has shipped it as a Windows platform feature for years for enterprise device-health attestation. In 2026, consumer games are starting to use it.
How attestation actually works
The TPM 2.0 chip ships from the factory with an Endorsement Key (EK) — an RSA or ECC keypair burned in at manufacture, with the public key certified by the TPM vendor''s certificate authority (Infineon, STMicroelectronics, Nuvoton, AMD fTPM, Intel PTT, Microsoft Pluton, etc.). The attestation flow: (1) the server sends a nonce, (2) the client''s TPM generates an Attestation Identity Key (AIK) signed by the EK, (3) the TPM signs a quote — the current PCR (Platform Configuration Register) values that summarize boot state — with the AIK, (4) the quote plus the EK cert plus the boot log goes back to the server, (5) the server validates the EK against the vendor CA chain, validates the quote signature, replays the boot log against the PCRs, and concludes whether the device''s boot state matches its policy.
Why this changes the game
Until attestation, an anti-cheat could only trust what its own driver told it about the local machine — and a sufficiently sophisticated attacker could lie to the driver. With attestation, the TPM is the source of truth, and the TPM is a tamper-resistant cryptoprocessor. PCRs measure every boot stage: UEFI firmware, bootloader, Windows kernel, ELAM driver, loaded drivers. A modified boot chain produces different PCRs. A different physical TPM produces a different EK. There is no software substitute for either.
What COD Black Ops 7 did
Call of Duty Black Ops 7 (Activision, 2025) added Microsoft Remote Attestation as part of its anti-cheat stack. The implementation rejects sessions where the attestation quote indicates an untrusted boot state (TestSigning enabled, unsigned drivers loaded, Secure Boot disabled). This is the first AAA shooter to publicly use platform attestation as a gating mechanism, and other publishers are watching.
What''s NOT spoofable
The EK certificate. The EK is signed by a vendor-controlled root CA. You cannot generate a fake EK that passes validation against Microsoft''s, Intel''s, AMD''s, or the major TPM vendors'' CAs. You cannot extract the EK private key from a properly designed TPM — the chip is physically tamper-resistant and the key never leaves the silicon. You can clear the TPM and regenerate the primary keys derived from the EK (this is what the Linux-method "TPM hash spoof" leaks of late 2025 did to surface hashes), but you cannot fake the EK itself, which means attestation that explicitly checks the EK certificate is not bypassable in software.
What IS in the gray zone
Attestation that checks only PCR values without binding to a specific EK certificate is weaker — you can rotate the surface PCR set by rebooting into different configurations. Attestation that doesn''t check EK certificate vendor chains can be fooled by software TPMs in some cases. Anti-cheats that haven''t adopted the full attestation flow are still in the "trust the local driver" model and remain in scope for traditional bypass research.
Forward look
Within 24 months, full Remote Attestation will be the default trust model for AAA shooters. This is the technical reality the cheat industry is staring down — and it''s why hardware-clean machines, separate hardware for cheating, and account-level isolation matter more than ever. See our Pluton answer for why this fight gets worse in 2027+.
Implementation maturity across vendors
Microsoft Remote Attestation in 2026 has reached different maturity levels across AC vendors. COD Black Ops 7 is the most public implementation, gating matchmaking on attestation quote validation against trusted boot states. Riot Vanguard consumes attestation results internally as one signal among many in its HWID-correlation system. Easy Anti-Cheat has the framework integrated for Fortnite''s heavy-protection mode but uses it as a supplementary check rather than a hard gate. BattlEye has been the most vocal AC vendor about hardware-attestation adoption and is expected to roll out full Remote Attestation enforcement on flagship titles within the next 12-18 months.
What attestation enables for ban enforcement
The most important implication isn''t real-time detection — it''s persistent HWID anchoring. When the AC stores the player''s attestation-validated EK certificate hash in its ban database, that hash is non-spoofable forever. The player can format the OS, replace the motherboard (if discrete TPM), or apply any number of conventional spoofing techniques — the EK cert hash, validated cryptographically against the TPM vendor''s CA chain, remains the same. This is the structural reason Pluton''s rollout matters so much: Pluton''s EK is on the CPU die, so even motherboard replacement doesn''t move the identifier. The HWID ban becomes effectively permanent across all but CPU replacement.
Related Pages
Sources
- Device Health Attestation — Microsoft Learn
- Windows Platform Trust — Microsoft Learn
- TPM 2.0 Architecture Spec — Trusted Computing Group
- Black Ops 7 Anti-Cheat Update — Activision
Related Questions
Anti-cheats fingerprint hardware by collecting and hashing identifiers across multiple sources: SMBIOS (motherboard, BIOS, system UUID), NIC MAC addresses, disk serial numbers, GPU device IDs, CPU identifiers (CPUID brand string, microcode revision), TPM 2.0 endorsement key certificate, USB peripheral descriptors, and monitor EDID data. The combined fingerprint becomes the HWID — and the EK certificate plus motherboard SMBIOS are the most durable elements. Riot logged 2.3M+ HWID bans in 2025 alone.
Microsoft Pluton is a TPM 2.0 implementation integrated directly into the CPU silicon as a security subsystem. Unlike discrete TPMs (separate chips on the motherboard) or firmware TPMs (fTPM/PTT running in CPU TEE), Pluton is physically integrated into the processor die and signed by Microsoft's root CA. It ships in AMD Ryzen 7000+ series, select Intel Core Ultra parts, and Qualcomm Snapdragon X. Pluton is NOT spoofable in software and has no separate chip to physically replace.
Secure Boot is a UEFI firmware feature that cryptographically verifies the OS bootloader and kernel against a database of signed signatures. Only Microsoft-signed (or vendor-signed) boot code can execute. Anti-cheats require it because Secure Boot prevents loading rootkit-level cheats that hook the boot chain itself. With Secure Boot off, an attacker can patch the Windows bootloader, load unsigned drivers, and operate below the anti-cheat's visibility. Fortnite mandated Secure Boot on Feb 19, 2026; Vanguard requires it on Windows 11.
TPM 2.0 (Trusted Platform Module 2.0) is a tamper-resistant cryptoprocessor that ships in every modern PC — discrete chip, firmware-TPM (fTPM/PTT), or integrated into the CPU as Microsoft Pluton. It stores cryptographic keys, signs attestation quotes, measures boot state via PCRs, and exposes a hardware-rooted device identity via the Endorsement Key (EK). Anti-cheats use the EK as a non-spoofable HWID and validate boot state via attestation. The EK cert is NOT spoofable in software.
