What Is Microsoft Remote Attestation?

Microsoft Remote Attestation is a Windows platform feature that lets a remote server cryptographically verify a client device''s identity, boot state, and configuration using the TPM 2.0 endorsement key (EK) certificate plus signed boot-log measurements. The TPM signs an attestation quote with a hardware-protected key, the server validates it against the TPM vendor''s CA, and the result is a non-spoofable answer to "is this machine in a trusted state?" Adopted by Call of Duty Black Ops 7 and increasingly by AAA anti-cheats in 2026.

What Is TPM 2.0 and How Does It Affect Cheating?

TPM 2.0 (Trusted Platform Module 2.0) is a tamper-resistant cryptoprocessor that ships in every modern PC — discrete chip, firmware-TPM (fTPM/PTT), or integrated into the CPU as Microsoft Pluton. It stores cryptographic keys, signs attestation quotes, measures boot state via PCRs, and exposes a hardware-rooted device identity via the Endorsement Key (EK). Anti-cheats use the EK as a non-spoofable HWID and validate boot state via attestation. The EK cert is NOT spoofable in software.

Can a HWID Spoofer Beat TPM 2.0?

No. TPM 2.0 endorsement keys are signed by the TPM chip manufacturer at production and stored inside the chip itself — they cannot be rewritten from software. Anti-cheats that read TPM EK and PCR values (Vanguard, COD: Black Ops 7 via Remote Attestation, FACEIT, Fortnite tournaments) get a cryptographic identity no commercial spoofer can fake. The only public TPM-spoof attempt — Samuel Tulach's tpm-spoofer POC — is unstable research code.

What's the Future of Anti-Cheats?

The future of anti-cheats is chip-to-cloud attestation, behavioral ML at scale, and hypervisor-level scanning. TPM 2.0, Microsoft Pluton, and Remote Attestation move trust verification below the operating system. Behavioral ML (Anybrain, Riot's neural classifiers) detects from gameplay patterns rather than runtime signatures. Hypervisor-based scanning (the direction Vanguard is moving) runs anti-cheat above the OS in ring -1. By 2027-2028, software-only cheats will face all three lanes simultaneously.

Will TPM 2.0 and Pluton Kill All Cheats? Honest Answer

Q: What Is Microsoft Pluton?

Microsoft Pluton is a TPM 2.0 implementation integrated directly into the CPU silicon as a security subsystem. Unlike discrete TPMs (separate chips on the motherboard) or firmware TPMs (fTPM/PTT running in CPU TEE), Pluton is physically integrated into the processor die and signed by Microsoft's root CA. It ships in AMD Ryzen 7000+ series, select Intel Core Ultra parts, and Qualcomm Snapdragon X. Pluton is NOT spoofable in software and has no separate chip to physically replace.

Will TPM 2.0 and Pluton Kill All Cheats?

No, but they'll kill specific cheat architectures. TPM 2.0 and Microsoft Pluton produce chip-signed attestation reports that software spoofers cannot forge — eliminating the ability to spoof boot integrity. They do not stop ESP, aimbots, or radar hacks that operate within the legitimate game session. They also do not stop DMA cheats on external machines. The 2026 reality: TPM/Pluton kill HWID spoofing for affected identifiers and kill some kernel-cheat techniques, but not cheats as a category.

RawCheats Anti-Cheat Research Team — Anti-Cheat Research TeamUpdated May 12, 2026

The "TPM and Pluton will kill all cheats" claim circulates in gaming communities every time a new anti-cheat hardware requirement is announced. It's wrong, but it's not entirely wrong. The reality requires understanding what TPM 2.0 and Pluton actually do, what they don't do, and which specific cheat architectures they affect.

What TPM 2.0 actually is

TPM 2.0 is a Trusted Platform Module chip integrated into modern motherboards (or virtualized via Intel PTT / AMD fTPM). It provides three key functions: hardware-based key storage that software cannot extract, cryptographic measurement of the system's boot state, and signed attestation reports that prove to a remote verifier what was loaded during boot. Windows 11 requires TPM 2.0; Windows 11 24H2 increased the enforcement.

For anti-cheats, TPM 2.0 enables boot-state attestation. The TPM measures each step of the boot process — firmware, bootloader, kernel, drivers — and produces a cryptographically signed report. An anti-cheat backend can request this report and verify that the system booted in a clean configuration before granting access. A software HWID spoofer cannot forge a TPM-signed report because the signing key is locked inside the chip.

What Microsoft Pluton extends

Microsoft Pluton is TPM functionality integrated directly into the CPU rather than as a separate chip. Pluton was introduced in Microsoft's 2020 Surface and is now available on newer Ryzen and Intel processors. The advantage over discrete TPM: Pluton runs on the CPU itself with no exposed bus traces, eliminating attacks that physically probe TPM pins. Pluton also enables Microsoft to update firmware via Windows Update, keeping the attestation infrastructure current. See what is Microsoft Pluton.

What TPM/Pluton do NOT do

This is the critical caveat. TPM and Pluton do not:

Inspect game memory at runtime
Detect ESP, aimbots, radar hacks, or any cheat logic during gameplay
Prevent code injection into the game process at runtime
Block DMA cheats running on a separate machine via PCIe
Stop external screen-capture-plus-input-emulation cheats
Detect behavioral patterns

TPM only attests to boot integrity. Once the system has booted and the attestation report has been sent and validated, TPM has no role in the gameplay session. A cheat that loads after the boot attestation step is invisible to TPM. The protection TPM offers is significantly narrower than the marketing suggests.

What TPM/Pluton DO kill

Three specific architectures lose viability:

Boot-time HWID spoofing for TPM-derived identifiers — the TPM endorsement key, attestation identity key, and Pluton-derived identifiers cannot be spoofed by software. A spoofer can still change SMBIOS, disk serials, and MAC addresses, but not TPM identity.
Kernel cheats that disable Secure Boot or HVCI — anti-cheats check the TPM attestation report for Secure Boot enabled and HVCI active. A cheat that requires either disabled is detectable via attestation.
Some kernel-driver injection paths — vulnerable-driver loading is harder when TPM reports the loaded driver list to the anti-cheat backend

These are real losses for the cheat industry, but they're partial — not total.

Why TPM doesn't kill cheats as a category

The cheat industry's response is straightforward: build cheats that work without disabling Secure Boot, without modifying TPM-attested identifiers, and that operate within the legitimate game session rather than from a modified boot. Humanized ESP and aimbots fit this profile. DMA cheats on external machines fit this profile (the gaming PC's TPM attestation is fine; the cheat is somewhere else). Behavioral evasion fits this profile.

The cheats that die are the ones that require kernel-level modifications visible to attestation. The cheats that survive are the ones that don't. The market shifts but the market doesn't disappear.

2026 status

Black Ops 7's Microsoft Remote Attestation shipped in October 2025. Riot Vanguard has been gradually adopting TPM checks. Fortnite's February 2026 IOMMU mandate represents a parallel hardware-level enforcement that targets a different cheat architecture. Pair this with our HWID spoofer pillar which addresses what spoofing still works in the TPM era, and see what is TPM 2 and how does it affect cheating for the full technical breakdown.