What Is Secure Boot and Why Do Anti-Cheats Require It?

Secure Boot is a UEFI firmware feature that cryptographically verifies the OS bootloader and kernel against a database of signed signatures. Only Microsoft-signed (or vendor-signed) boot code can execute. Anti-cheats require it because Secure Boot prevents loading rootkit-level cheats that hook the boot chain itself. With Secure Boot off, an attacker can patch the Windows bootloader, load unsigned drivers, and operate below the anti-cheat's visibility. Fortnite mandated Secure Boot on Feb 19, 2026; Vanguard requires it on Windows 11.

What Is IOMMU and Why Does It Matter for Cheats?

IOMMU (Input-Output Memory Management Unit) is a CPU hardware feature — Intel VT-d, AMD-Vi — that creates per-device virtual address spaces for PCIe devices. With IOMMU enabled, a PCIe device can only read physical memory that the OS has explicitly mapped into its IOMMU page tables. This is what kills naive DMA cheats: an FPGA card can no longer freely read game memory because the IOMMU blocks it. Fortnite mandated IOMMU on Feb 19, 2026, joining Vanguard, BattlEye, and EAC titles.

What Is Microsoft Remote Attestation?

Microsoft Remote Attestation is a Windows platform feature that lets a remote server cryptographically verify a client device''s identity, boot state, and configuration using the TPM 2.0 endorsement key (EK) certificate plus signed boot-log measurements. The TPM signs an attestation quote with a hardware-protected key, the server validates it against the TPM vendor''s CA, and the result is a non-spoofable answer to "is this machine in a trusted state?" Adopted by Call of Duty Black Ops 7 and increasingly by AAA anti-cheats in 2026.

What Is TPM 2.0 and How Does It Affect Cheating?

TPM 2.0 (Trusted Platform Module 2.0) is a tamper-resistant cryptoprocessor that ships in every modern PC — discrete chip, firmware-TPM (fTPM/PTT), or integrated into the CPU as Microsoft Pluton. It stores cryptographic keys, signs attestation quotes, measures boot state via PCRs, and exposes a hardware-rooted device identity via the Endorsement Key (EK). Anti-cheats use the EK as a non-spoofable HWID and validate boot state via attestation. The EK cert is NOT spoofable in software.

What Was the February 2026 Fortnite IOMMU Rule?

On February 19, 2026, Epic Games mandated that every PC tournament — from $5 cash cups up to FNCS qualifiers — requires Secure Boot, TPM 2.0, and IOMMU enabled in BIOS on every competing PC. IOMMU was the new addition. Once mandated, IOMMU's hardware memory wall blocked consumer-grade DMA cards from reading game RAM, destroying the upper tier of the Fortnite cheat market overnight in tournament lobbies.

What Is Secure Boot and Why Anti-Cheats Require It?

Secure Boot has been a UEFI feature since 2012, but the consumer-gaming relevance only crystallized in 2024-2026 as AAA anti-cheats began enforcing it. The technical purpose is straightforward: cryptographically verify everything that runs before the OS hands off control to user space.

How Secure Boot works

At system power-on, UEFI firmware runs first. With Secure Boot enabled, UEFI consults a database (DB) of allowed code signatures and a database of disallowed signatures (DBX). Before executing any boot-time code — bootloaders, kernels, Option ROMs, UEFI applications — UEFI hashes the code and verifies the hash is signed by a key in DB and not in DBX. The signatures chain to a Platform Key (PK) and Key Exchange Keys (KEK) that are typically provisioned by the OEM and trusted to Microsoft.

The result: the only boot code that runs is code signed by Microsoft, the OEM, or a vendor whose key is in the Platform DB. Unsigned bootloaders are rejected. Modified Windows kernels are rejected. Boot-stage rootkits cannot execute.

Why anti-cheats care

A boot-stage rootkit ("bootkit") is the cheat developer''s ultimate attack on an anti-cheat: load before Windows, intercept the kernel handoff, install hooks before AC drivers load, hide from kernel-callback enumeration. With Secure Boot off, this is technically achievable. With Secure Boot on, it''s structurally blocked — the modified bootloader is rejected by UEFI and the system never boots.

For an anti-cheat that loads as an early-launch driver (Vanguard''s vgk.sys as ELAM), Secure Boot is what makes "early launch" meaningful. Without Secure Boot, "early launch" still loses to a bootkit that ran before any Windows driver. With Secure Boot, the AC genuinely is among the first things to see the running system.

What Secure Boot is NOT

Secure Boot is not anti-cheat per se. It''s a Windows/OS-level integrity feature that anti-cheats use as a foundation. It does not detect cheats — it just denies the boot stage to unsigned code. After OS boot, signed kernel-mode cheats (loaded via BYOVD, leaked-cert signing, or exploit) can still execute regardless of Secure Boot state.

It''s also not a cheating-specific feature. Secure Boot exists for general OS integrity — preventing malware bootkits, securing enterprise deployment, enabling BitLocker''s pre-boot environment. Anti-cheat is one consumer-facing application of a feature designed for much broader reasons.

What enabling Secure Boot does to your machine

For most modern hardware (Windows 11 era and Windows 10 from 2015+): nothing visible. The system boots normally with Microsoft-signed Windows, all signed drivers continue to work, and you don''t notice the difference. For older or unusual configurations: dual-boot setups with non-Microsoft-signed bootloaders may fail to boot, custom kernels or modified bootloaders are blocked, some Linux distros need their own keys provisioned. Compatibility issues are rare for typical gaming PCs.

What the Fortnite Feb 19, 2026 mandate did

Fortnite''s Feb 19, 2026 update made Secure Boot + TPM 2.0 + IOMMU required for match participation. Players running Windows installs with Secure Boot disabled couldn''t join matches. The community impact: hundreds of thousands of players had to enter UEFI, enable Secure Boot, and reboot — most of whom had never touched UEFI before. The compliance friction was significant, but Epic''s position was that the security gain justified the cost. See What was the Feb 2026 Fortnite IOMMU rule.

What anti-cheats require Secure Boot

Vanguard (Valorant, League of Legends) — required on Windows 11
EAC (Fortnite specifically from Feb 19, 2026 onward) — required
BattlEye (some titles, including PUBG soft-required) — increasingly required
Ricochet (COD Black Ops 7) — required via Remote Attestation flow

Other AC integrations either don''t enforce or enforce soft (warning rather than block). The trajectory is universal enforcement within 24 months for AAA shooters.

What Secure Boot doesn''t solve for cheating

Cheats that operate post-boot (running as signed user-mode applications, loaded into the game process, or running as signed kernel drivers loaded via BYOVD) work fine with Secure Boot enabled. The cheat-industry adaptation to Secure Boot mandates was straightforward: stop relying on bootkit techniques (which were always niche) and stay in the post-boot world. RawCheats has never used bootkit techniques and is unaffected by Secure Boot mandates — see our HWID Spoofer 2026 Guide.

Practical impact for cheaters

Enable Secure Boot. It doesn''t prevent any standard cheating technique used by the consumer cheat market in 2026. It does prevent you being locked out of Fortnite, Valorant, and other titles. The performance cost is zero. The compatibility cost is essentially zero for modern hardware.

Forward look

Secure Boot will be universal AAA shooter requirement within 24 months. Pluton-attested boot will follow within 36-48 months. The trajectory of consumer AAA gaming is increasingly hardware-integrity-rooted, and Secure Boot is the first floor of that stack.