In brief: Secure Boot, TPM 2.0, and other forms of kernel-level anti-cheat are already notorious for digging deep into users' systems, locking games to Windows, and increasing the risk of serious accidents. However, Microsoft plans to crack down harder by adding virtualization and remote validation to the mix.
Microsoft has added Remote Attestation to the latest description of its anti-cheat measures included in the recently released Call of Duty: Black Ops 7. The feature, which pings the company's servers when a PC boots, could tighten controversial security systems and raise privacy concerns.
Clicking on the link in the recent Xbox Wire article leads to a description of Microsoft Azure Attestation, which uses TPM to confirm that a PC's boot process only runs trusted software. The feature, which came to the public's attention following last year's CrowdStrike incident, verifies the boot environment against information on Azure servers.
Although legitimate players appreciate the company's efforts to fight increasingly creative cheaters in online games, some might feel concerned about their devices pinging Microsoft servers on every boot. Furthermore, whether harmless software could create false positives remains unclear.
Several popular games have already drawn criticism for using kernel-level anti-cheat systems. Kernel-level security accesses an operating system's deepest levels, which many users consider unnecessarily risky. The CrowdStrike fiasco vindicated critics when a defective update for a kernel-level security scanner disabled millions of Windows PCs.
Moreover, these features, in addition to Secure Boot and TPM, effectively make some of the most popular games exclusive to Windows because macOS and Linux do not allow third-party software to access their kernels (a fact that Apple extravagantly noted last month). This makes some of the most popular PC titles, such as Fortnite, Call of Duty, Battlefield 6, Valorant, and Grand Theft Auto Online, unplayable on the Steam Deck and Valve's upcoming Steam Machine.
In light of this, Remote Attestation could become a positive, as it does not access the kernel. Neither does Virtualization-based Security, another security layer Microsoft is using for anti-cheat, which isolates applications in a secure memory region using Hyper-V and Windows virtualization. Employing these options instead of Secure Boot could potentially be less risky and restrictive.
In the meantime, Microsoft's guide includes instructions for activating TPM and Secure Boot, specific to various motherboard manufacturers. Steam also recently introduced a tool that checks whether users' systems have engaged the two features.