Problem: Riot Vanguard “VAN: RESTRICTION” suddenly blocks VALORANT/LoL on PC unless you update BIOS and enable Secure Boot/IOMMU/VBS—many players can’t comply (or can’t find a stable fix)

Published: 2026-01-04 12:00 (local time)

Quick Summary

A growing number of PC players are being hard-blocked from Riot games with “VAN: RESTRICTION” and related Secure Boot/TPM/VBS requirements.
The “fix” often involves BIOS updates + enabling security features (Secure Boot, IOMMU / DMA protection, VBS / Memory Integrity).
Many users report they already have these enabled, yet the restriction persists—or their hardware/BIOS doesn’t offer compliant settings.
This is tied to Riot’s ongoing anti-cheat escalation after public reporting on a motherboard-level pre-boot/DMA security gap.
There’s no single universal solution; outcomes vary by motherboard vendor, BIOS age, Windows version, and boot configuration.

What’s happening

Players attempting to launch (or sometimes queue into) Riot titles protected by Vanguard (notably VALORANT, and also Riot games that now integrate Vanguard) report being blocked by a “VAN: RESTRICTION” message that demands security changes such as updating the motherboard BIOS and enabling Secure Boot, IOMMU/DMA protection, and/or VBS (Memory Integrity). Riot’s own support documentation says these restrictions occur when Vanguard flags a PC as “too cheat-capable” due to outdated Windows or configurations that can enable cheating, and the on-screen restriction message indicates which settings are required to regain access.

In practice, affected players commonly report one of three experiences:

They can’t find the required BIOS settings (especially on older boards, OEM laptops, or heavily customized BIOSes).
They enable everything but still get blocked (Vanguard fails verification, settings don’t “stick,” or Windows reports Secure Boot as enabled while Vanguard disagrees).
They’re uncomfortable updating BIOS (risk of a failed flash, downtime, or losing settings), yet the game becomes unplayable without it.

This has become more visible recently as multiple major outlets reported Riot’s anti-cheat response to a motherboard/firmware pre-boot DMA gap, and Riot support pages were updated (December 18, 2025) to explicitly mention motherboard updates as part of lifting Vanguard restrictions.

Likely causes (what research suggests)

BIOS/firmware security gap + enforcement ramp-up: Reporting indicates Riot identified a pre-boot / DMA-related vulnerability that can allow advanced cheating via hardware methods, pushing BIOS updates from major vendors and stricter enforcement by Vanguard. This makes “update BIOS” part of the compliance path for some systems.
Boot mode mismatch (UEFI vs Legacy/CSM): Secure Boot generally requires UEFI boot (not Legacy/CSM). Some PCs show “Secure Boot capable” but are still booted with CSM enabled, preventing proper attestation.
IOMMU / Pre-boot DMA protection not enabled or not truly active: Even when toggled, some BIOSes label settings differently or leave them on AUTO (which may not satisfy Vanguard). Riot support explicitly calls out enabling IOMMU and related DMA options where available.
VBS/Memory Integrity conflicts: Enabling VBS/Memory Integrity can fail due to incompatible drivers, virtualization disabled in BIOS, or Windows configuration conflicts—yet Vanguard may require it for trusted state.
Hardware/BIOS age ceiling: Some users report their motherboard vendor has not released newer BIOS versions for their model in years, leaving them unable to install a “fixed” firmware even if they want to.

Solutions & Workarounds

1) Confirm what Windows thinks your security state is (before changing anything)

Who it helps: Windows 11/10 Riot players unsure whether they’re actually compliant.

Open System Information (press Windows key, type msinfo32).
Check BIOS Mode = UEFI (not Legacy).
Check Secure Boot State = On.
Open TPM management (press Windows key, type tpm.msc) and confirm TPM is present/enabled.

Risks/tradeoffs: None (read-only checks).

Stop & contact support when: Windows shows everything enabled but Vanguard still blocks you—capture screenshots of msinfo32 + tpm.msc for your ticket.

2) Remove Legacy/CSM boot and switch to full UEFI (common hidden blocker)

Who it helps: Players whose BIOS Mode is not UEFI, or who suspect CSM/Legacy is still on.

In Windows, verify BIOS Mode in msinfo32.
Reboot into BIOS/UEFI setup.
Find CSM / Legacy Boot and disable it; set boot mode to UEFI.
Save and reboot; re-check msinfo32 for UEFI + Secure Boot On.

Risks/tradeoffs: Changing boot mode can prevent booting if your OS disk uses an incompatible partition style; proceed carefully and back up important data first.

Stop & contact support when: Your PC fails to boot after changes—use your motherboard/OEM recovery steps or a professional technician.

3) Update BIOS/UEFI firmware to the newest version from your motherboard/OEM

Who it helps: Players receiving “Motherboard Update” guidance in the Vanguard restriction message, and users on affected vendors/models.

Identify your exact motherboard/OEM model via msinfo32 (BaseBoard Manufacturer/Product) or your OEM support app.
Download the latest BIOS from the manufacturer’s official support page for your exact model.
Follow the vendor’s flashing method (often EZ Flash/Q-Flash/M-Flash) and do not interrupt power.
After update, re-enable required settings: Secure Boot, IOMMU/DMA protection options, virtualization, and any defaults that reset.

Risks/tradeoffs: BIOS flashing carries real risk (failed flash/power loss can brick the board). If you’re not experienced, Riot explicitly recommends getting professional help rather than guessing in BIOS.

Stop & contact support when: Your vendor has no newer BIOS available, or Vanguard still blocks you after updating—document BIOS version + screenshots.

4) Enable IOMMU (and any DMA/DMAr protections) explicitly, not “AUTO”

Who it helps: Players getting restrictions tied to DMA/IOMMU requirements; boards where the option exists but is off/auto.

Enter BIOS/UEFI.
Locate IOMMU (often under Advanced/AMD CBS/NBIO or Intel System Agent/CPU Features).
Set IOMMU to Enabled (not Disabled/Auto).
If present, enable related toggles such as DMA Protection and/or DMAr Support.
Save and reboot.

Risks/tradeoffs: May affect compatibility with some niche virtualization/PCIe passthrough setups; usually safe for typical gaming PCs.

Stop & contact support when: Your BIOS doesn’t offer IOMMU/DMA settings or enabling them causes instability.

5) Turn on VBS / Memory Integrity (or fix why it won’t stay enabled)

Who it helps: Players whose Vanguard restriction requires HVCI/VBS, and players who find the toggle missing or auto-disables.

Open Windows Security → Device Security → Core isolation → toggle Memory Integrity on.
Reboot.
If you get “Page not available” or it won’t enable, go back into BIOS and enable virtualization (Intel VT-x/VT-d or AMD SVM) as required.
If it fails due to “incompatible drivers,” update or uninstall the listed drivers, then try again.

Risks/tradeoffs: Can reduce performance slightly in some workloads; may surface driver problems; may require troubleshooting older hardware drivers.

Stop & contact support when: You hit repeated BSODs or the setting keeps disabling—collect crash info and contact Riot plus your PC/motherboard vendor.

6) If your setup is “unusual” (external Windows installs, USB boot, etc.), move Windows + Riot game to an internal drive

Who it helps: Players using Windows or the game from external drives/adapters or atypical boot configurations that may fail attestation.

Install an internal SSD (NVMe/SATA) if possible.
Reinstall Windows cleanly to the internal drive in UEFI mode.
Install VALORANT (and Vanguard) to the internal drive.

Risks/tradeoffs: Time-consuming; requires backups; may require hardware purchase; not always possible on laptops.

Stop & contact support when: You can’t change storage configuration (laptop limitations) and you remain blocked—ask Riot support what alternative compliance paths exist for your model.

Prevention (so it doesn’t come back)

Keep motherboard BIOS/UEFI reasonably up to date (especially security-related releases), but avoid flashing casually—read vendor notes and follow official steps.
Stay on UEFI boot with Secure Boot enabled; avoid re-enabling CSM/Legacy unless you absolutely must.
Keep Windows updated and minimize old kernel-level driver utilities that can conflict with Memory Integrity.
After any BIOS update or reset, re-check Secure Boot, TPM, virtualization, and IOMMU settings—updates can revert them to defaults.

FAQ

Q: Is this only VALORANT?
A: Vanguard is Riot’s anti-cheat layer used by VALORANT and is also deployed in other Riot titles; the restriction messaging and required security posture comes from Vanguard enforcement.

Q: Why would a BIOS update be required for a game?
A: Riot and multiple reports describe a class of hardware/DMA-based cheat bypasses tied to pre-boot gaps. Updating BIOS can patch motherboard-level behavior and improve attestation of protections.

Q: My Windows says Secure Boot is On. Why does Vanguard still complain?
A: Common culprits include CSM/Legacy boot still being active, IOMMU/DMA protection not enabled, VBS requirements not met, or BIOS/firmware versions that don’t correctly report protections.

Q: Is updating BIOS safe?
A: It’s routine but not risk-free. A failed flash (wrong file, power loss) can brick a board. If you’re not comfortable, Riot explicitly suggests getting professional help rather than trial-and-error in BIOS.

Q: I have an older motherboard with no new BIOS updates—am I stuck?
A: Possibly. If Vanguard requires a firmware-side fix and your vendor no longer supports the model, you may need Riot support guidance or hardware replacement; outcomes vary by configuration.

Q: Should I disable security features to make the game run?
A: In general, no—these restrictions are specifically about turning protections on. Disabling them is more likely to keep you blocked.

Q: When should I stop troubleshooting and open a ticket?
A: If you’ve confirmed UEFI + Secure Boot On + TPM present, enabled IOMMU/VBS as required, updated BIOS (where available), and the restriction persists—open a Riot ticket with screenshots and your BIOS version.