If you bought a spoofer in 2024 or 2025 and it stopped working on Vanguard, you ran into the TPM 2.0 problem. The motherboard serial still gets spoofed, the disks still look new, the MAC addresses are still randomized — but Vanguard finds you anyway and you get VAN 152 or VAN 9001 the moment the service tries to start.
The reason is the Trusted Platform Module (TPM 2.0): a small cryptographic chip on your motherboard that Vanguard started reading as part of its hardware fingerprint in 2024. Most spoofers built before that update do not touch the TPM, which means the chip ID stays on Vanguard's ban list even after everything else has been changed.
This post walks through what TPM 2.0 actually is, why it broke older spoofers, and what a real TPM-aware spoofer has to do in 2026 to actually bypass a Vanguard hardware ban.
What TPM 2.0 actually is
TPM stands for Trusted Platform Module. It is a small dedicated processor — usually a discrete chip soldered on the motherboard, sometimes integrated into the CPU as "firmware TPM" (fTPM on AMD, PTT on Intel) — that handles cryptographic operations the host OS cannot do safely.
It does three things you actually need:
- Stores cryptographic keys in hardware — disk encryption keys (BitLocker), Windows Hello biometrics, attestation keys. The keys never leave the chip, which is why TPM-encrypted disks survive OS reinstalls.
- Measures boot integrity — it records hashes of the bootloader and kernel as the system starts up. If something changes (a rootkit, an altered bootloader), TPM notices.
- Provides a unique identifier per chip — the manufacturer ID, model, and a unique serial. These three together fingerprint the physical TPM module to a high precision.
The third one is what matters for anti-cheat. Vanguard reads the TPM identifier and adds it to your hardware fingerprint. When Vanguard hardware-bans an account, the TPM ID goes on the ban list along with the motherboard serial, CPU ID, and the other identifiers we covered in the Vanguard HWID ban guide.
Why TPM 2.0 specifically broke older spoofers
Until 2024, a spoofer's job was straightforward. Intercept the Windows API calls that read the motherboard serial, CPU ID, disk serial, and MAC address, and return different values. Vanguard would call those APIs at startup, get the spoofed values, see a "new" machine, and let you in.
TPM 2.0 reading does not go through those APIs. The TPM is accessed via a dedicated TPM 2.0 driver (tpm.sys on Windows) that talks directly to the chip over the LPC or SPI bus. There is no GetMotherboardSerial()-style call to intercept. Spoofing the TPM means either:
- Intercepting the TPM driver's communication with the chip (low-level, requires deep kernel hooking)
- Replacing the TPM driver with a stub that returns spoofed values (very low-level, breaks BitLocker and other TPM users)
- Spoofing at the firmware level via UEFI variable manipulation (riskier, can soft-brick the machine)
- Faking the TPM software-side while keeping the real chip available for legit uses (most complex, most compatible)
Old spoofers did none of these. They patched the WMI APIs (Windows Management Instrumentation) and the SMBIOS structures, both of which Vanguard stopped trusting once TPM became part of the fingerprint.
When Vanguard's 2024 update went out, every spoofer that did not implement one of the four TPM strategies above silently stopped working on Vanguard. The vendor's website said "supports Vanguard." The spoofer ran fine, spoofed the motherboard cleanly, gave a successful "spoofing complete" message — and then Vanguard still hardware-banned the user because the TPM was unchanged.
This is the bug at the heart of every "I bought a spoofer and got banned anyway" story you read on Reddit from 2024 onward.
What a real TPM 2.0 spoofer has to do in 2026
For a spoofer to work on Vanguard in 2026, it has to satisfy a longer list of requirements than spoofers needed in 2023. Here is the full checklist:
1. Actually spoof the TPM 2.0 identifier
This is the headline requirement. The spoofer must intercept Vanguard's TPM read and return a different manufacturer ID, model, and serial than the real chip exposes. There are a few ways to do this cleanly; what matters is that the value Vanguard sees does not match the ban list.
A useful test: ask the vendor whether their spoofer changes the TPM Manufacturer ID specifically (not just "TPM" generically). Some vendors hedge their language because they only spoof the easier-to-reach TPM properties and miss the manufacturer ID that Vanguard actually fingerprints.
2. Stay HVCI-compatible
Windows 11 enables Hypervisor-protected Code Integrity (HVCI) by default. HVCI uses Hyper-V to enforce code integrity on kernel-mode drivers — it refuses to load any driver that is not signed, that maps writable-and-executable memory, or that violates a few other rules.
Many spoofers historically used techniques HVCI explicitly blocks. The first time a Win11 user enables HVCI (often during a system reset or a fresh install) those spoofers stop loading. The spoofer's installer reports success but the driver never actually runs.
A real 2026 spoofer either ships an HVCI-compatible driver or works in a mode that does not require kernel-mode driver loading at all.
3. Stay Secure Boot-compatible
Secure Boot is a UEFI feature that refuses to load anything in the boot chain that is not signed by a key in the firmware's trust store. It is on by default on Windows 11 — and required by Windows 11 in fact, even though some installs skip it.
Spoofers that modify UEFI variables or boot earlier than the OS to set up their hooking can collide with Secure Boot. If you disable Secure Boot to make a spoofer work, you have just given up TPM 2.0's attestation features and you trigger a separate set of Vanguard checks. Disabling Secure Boot is not a workaround; it is a tell.
A proper 2026 spoofer leaves Secure Boot on and operates inside its trust model.
4. No BIOS flashing
A subset of spoofers achieve "perfect" spoofing by flashing your motherboard's BIOS to change the serial number stored in firmware. This works extremely well — until the flash fails halfway through and you have a $300 paperweight.
BIOS-flashing spoofers should be a non-starter in 2026. The brick risk is real (we have seen 1-in-50 flash failures on AMD boards in particular), the warranty implications are real, and the spoofing benefit over software-only approaches is marginal for the Vanguard use case.
If a spoofer markets "permanent BIOS-level spoofing," ask whether you can undo it. If the answer is "no" or "with another flash," walk away.
5. Reversible
After you use a spoofer, you want to be able to put the original hardware identifiers back. Reasons:
- You may want to sell the machine and need it to show original serials for warranty
- Some games (notably Roblox at certain stages) flag spoofed hardware as suspicious in itself
- You may want to switch the spoofer off for a benign session and back on for a session that needs it
- TPM-bound BitLocker keys break if the TPM identifier permanently changes — you cannot decrypt the disk anymore
A real 2026 spoofer ships with a "restore" command that puts the original values back without re-flashing anything.
6. Daily updates
Vanguard pushes updates regularly. Most do not change the fingerprint surface, but every few months something does. A spoofer that worked in March can fail in May without warning. The vendor needs an active update channel and a public status page (or at least a Discord with timely posts).
What we ship
Temp Spoofer satisfies the six requirements above. Specifically:
- TPM 2.0 spoofing: the first and only spoofer in our catalog that does this. Manufacturer ID, model, and serial are all swapped.
- HVCI + Secure Boot: both stay enabled, no UEFI changes
- No BIOS flashing: zero brick risk, no warranty implications
- One-click restore: original serials come back any time
- Lifetime license available: $199 for lifetime, $75/month if you want monthly
We do not sell other spoofers because we have not found another product on the market in 2026 that satisfies all six requirements simultaneously. The market is dense with spoofers that hit three or four of these but miss one critical box — and that one missed box usually shows up as VAN 152 a few hours into the user's first session.
When a spoofer is not the right answer
A spoofer changes what Vanguard sees. There is another path that does not bother with what Vanguard sees because Vanguard never actually runs — a Vanguard emulator.
For League of Legends specifically, Atlas replaces Vanguard with a stub. The real Vanguard service never starts, never reads any identifiers, never consults the ban list. The whole TPM question becomes moot.
The trade-off:
- Atlas (Vanguard emulator) — League-only, monthly subscription, no spoofer required, no TPM dance.
- Temp Spoofer — works across Riot's titles, one-time or monthly purchase, gives you a clean hardware surface for everything.
If you only play League and you want the simplest fix, Atlas wins. If you want a clean hardware surface for Valorant, League, and for other games' anti-cheats, Temp Spoofer is the right tool.
The full breakdown for both is on the League of Legends page and the Valorant page.
What to look for if you are shopping elsewhere
If you are buying a spoofer from a vendor other than us, ask these questions before paying:
- "Do you spoof TPM 2.0 Manufacturer ID, Model, and Serial?" — All three. "We support TPM" is not the same answer.
- "Does your driver load with HVCI enabled?" — If they say "you need to disable HVCI," that is a 2026 dealbreaker.
- "Is Secure Boot required to be off?" — Same answer; should be "no."
- "Do you flash my BIOS?" — Should be "no" in 2026.
- "How do I restore original serials?" — Should be one command.
- "Where is your status page?" — If they do not have one, you are blind to outages.
If they fail two of those, look elsewhere. If they fail one (especially #1), they are not actually solving the Vanguard problem — they are solving the 2023 version of the problem and selling it as 2026.
