TPM and Remote Attestation Explained: The Hardware Ban That Cannot Be Spoofed

What the TPM chip actually is

Every computer shipped in the last four years has a TPM 2.0 chip. Most players have never thought about it. Anti-cheat engineers think about it constantly.

TPM stands for Trusted Platform Module. It is a dedicated security microcontroller, either a discrete chip soldered to the motherboard or a firmware implementation inside the CPU itself, called fTPM. Its job is to perform cryptographic operations in isolated hardware that the operating system cannot directly access or modify. It stores keys. It measures system state. It signs attestation reports. None of those operations can be intercepted by software running at Ring-0.

That last sentence is the reason anti-cheat systems care about it. A kernel driver can hook almost any software call. It cannot hook a hardware cryptographic operation that never passes through the software stack.

The EkPub key: why it cannot be rotated

Every TPM contains an Endorsement Key pair burned in at the factory. The private half, called the EK, never leaves the chip. The public half, called the EkPub, is what anti-cheat systems can request and record.

The EkPub is a stable, unique identifier tied to the physical TPM hardware. On systems using fTPM (AMD's implementation is the most common), the EK is derived from a secret fused into the processor die at manufacture. Changing it requires replacing the CPU. On discrete TPM chips, it requires replacing the TPM module itself, which on most modern motherboards is soldered directly to the board.

When an anti-cheat system records your EkPub alongside a ban, it records something that no kernel driver, no registry edit, no SMBIOS spoofer can change. A HWID Spoofer intercepts queries to the storage controller and firmware tables. The TPM responds to its own protocol over a separate bus, and the EkPub it returns is signed by the chip's internal EK. Presenting a forged EkPub would require forging a cryptographic signature without access to the private key.

That is not a software problem. It is a cryptography problem. The two are not equivalent.

The boot chain: from power button to game launch

The reason TPM-based enforcement is effective starts before Windows loads. The security guarantee depends on a chain of measurements that begins the moment the power button is pressed.

The chain matters because each step measures the previous one. If anything in the firmware or bootloader deviates from the expected state, the PCR values change, the attestation quote reflects that, and the remote server sees it. A cheat that loads before Windows and tries to hide in memory still changes the PCR measurements, because the measurements happen at the hardware level before the cheat has any opportunity to intervene.

Remote attestation: verification that runs off your machine

Local attestation means your machine checks itself and reports the result. An anti-cheat relying on local attestation is trusting the client to report honestly, and a client running a kernel cheat is not going to report honestly.

Remote attestation moves the verification step outside your machine entirely. When Ricochet requests a system integrity check, your TPM generates an attestation quote: a snapshot of the current PCR register values, signed with the chip's endorsement key. That signed package is sent to Microsoft's attestation service over the network. Microsoft's servers, which have no cheat software installed, verify the cryptographic signature against the EkPub on record and return a verdict. The verdict is not "the client says it is clean." It is "we verified the chain of measurements and it is clean, or it is not."

Software running on your machine cannot intercept this exchange after the packet leaves your network interface. The verification happens between your TPM and Microsoft's servers. A kernel driver that intercepts local TPM queries cannot intercept the response that Microsoft sends back to Ricochet's servers before returning a game session token.

PCR registers and what they expose

PCR registers are 24 fixed-size storage slots inside the TPM. Each one accumulates a running hash of measurements: firmware code, bootloader state, OS configuration, loaded drivers. The value in each register at any point is a cryptographic fingerprint of everything that contributed to it since power-on.

PCR 0 and PCR 1 are the registers that expose hypervisor-based cheats. A cheat running inside a virtual machine changes what gets measured in PCR 0 because the virtualization layer inserts itself between the hardware and the firmware measurements. The expected PCR 0 value for a clean Windows boot on a given machine is known; a different value flags something unexpected in the pre-OS environment.

This is why some players attempt to disable TPM in BIOS when they hear it is used for anti-cheat enforcement. Disabling TPM does not hide anything. It removes the attestation capability entirely, which causes the remote attestation request to fail, which produces the same result as a failed attestation check: the game does not launch.

Which games enforce TPM-level hardware bans

Game	TPM requirement	Enforcement mechanism
Valorant	TPM 2.0 + Secure Boot required since 2022	Vanguard requests EkPub on launch; VAN:Restriction error blocks access
Call of Duty (all titles)	TPM 2.0 + Secure Boot for Ricochet-protected titles	Remote attestation via Microsoft; hardware ban tied to EkPub on confirmed cheaters
Escape from Tarkov	No TPM requirement at client level	BattlEye hardware bans use disk + SMBIOS cluster; EkPub not confirmed in enforcement
Fortnite	No TPM requirement currently	EAC hardware ban via disk + MAC + MachineGuid; TPM not in confirmed enforcement path
CS2	No TPM requirement	VAC bans are account-level; hardware enforcement via manual review team only

The split between Valorant and Tarkov matters practically. For Valorant hardware bans, a kernel-level HWID Spoofer that covers disk, SMBIOS, GPU, and MAC addresses is necessary but not sufficient, because Vanguard's enforcement path includes EkPub verification. The spoofer closes the hardware ID layer; it cannot close the TPM layer. For Tarkov and Fortnite, where TPM is not in the confirmed enforcement path, a full-coverage HWID Spoofer addresses the ban vector that is actually in use.

What this means for hardware ban recovery

The practical boundary is clear. A hardware ban enforced at the HWID layer, disk serial, SMBIOS strings, MAC address, volume GUID, responds to a kernel-level HWID Spoofer. The ZhexCheats HWID Spoofer covers those identifiers and includes the trace cleaner step that prevents re-ban from telemetry log analysis. For most titles running BattlEye or EAC, that combination closes the re-ban window.

A hardware ban enforced at the TPM layer, via EkPub recorded during a Vanguard session, requires physical hardware change: a new CPU on fTPM systems, or a new discrete TPM module where the motherboard supports it. No software running on the same hardware can produce a different EkPub, because the EkPub is derived from a key fused into the chip at manufacture.

The distinction is not a limitation of any specific product. It is a consequence of where the cryptographic boundary sits. Software operates inside that boundary. The TPM operates outside it, by design.

For the firmware-level side of this: how IOMMU works, what the pre-boot gap was, and how anakart manufacturers patched their firmware to close DMA exploitation windows, see UEFI Pre-Boot Gap Explained. For the behavioral detection layer that operates entirely independently of hardware identifiers, see Behavioral Biometrics Explained.