Edit

Share via

Configure and run on-demand Microsoft Defender Antivirus scans

  • Applies to: Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2, Microsoft Defender for Business, Microsoft Defender for Individuals, Microsoft Defender Antivirus

You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. When you run a scan, you can choose from among three types: Quick scan, full scan, and custom scan. In most cases, use a quick scan. A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.

Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware. In most cases, a quick scan is sufficient and is the recommended option for scheduled or on-demand scans. Learn more about scan types.

Important

Microsoft Defender Antivirus runs in the context of the LocalSystem account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to access the network share.

Use Microsoft Defender portal to run a scan

  1. Go to the Microsoft Defender portal (https://security.microsoft.com) and sign-in.
  2. Go to the device page that you would like to run a remote scan.
  3. Click on the ellipses (...).
  4. Click on Run Antivirus Scan.
  5. Under Select scan type, select the radio button for Quick Scan or Full Scan.
  6. Add a comment.
  7. Click on Confirm.

To check on the status:

  1. Under Actions & submissions, select Action Center and then select History tab.
  2. Click on Filters.
  3. Under the Action Type, check the box for Start antivirus scan.
  4. Click on Apply.
  5. Select one of the radio button.
  6. Under Action Status, you'll see the status such as Completed.

To check on the detections, see Review the results of Microsoft Defender Antivirus scans | Microsoft Learn

Use Microsoft Intune to run a scan

Use endpoint security to run a scan on Windows devices

  1. Go to the Microsoft Intune admin center (https://intune.microsoft.com) and sign-in.

  2. Choose Endpoint security > Antivirus.

  3. In the list of tabs, select Windows 10 unhealthy endpoints or Windows 11 unhealthy endpoints.

  4. From the list of actions provided, select Quick Scan (recommended) or Full Scan.

    Scan options on the Windows 10 unhealthy endpoints tab.

Tip

For more information about using Microsoft Configuration Manager to run a scan, see Antimalware and firewall tasks: How to perform an on-demand scan.

Use devices to run a scan on a single device

  1. Go to the Microsoft Intune admin center (https://intune.microsoft.com) and sign-in.

  2. From the sidebar, select Devices > All Devices and choose the device you want to scan.

  3. Select ...More and select Quick Scan (recommended) or Full Scan from the options.

Use the Windows Security app to run a scan

For instructions on running a scan on individual endpoints, see Run a scan in the Windows Security app.

Use PowerShell to run a scan

Run the following command:

Start-MpScan

For detailed syntax and parameter information, see Start-MpScan.

Use PowerShell to run a quick scan without exclusions

Run the following command:

Set-MpPreference -QuickScanIncludeExclusions ScanRtpExclusions

The value ScanRtpExclusions or 1 includes paths that are excluded from antivirus using contextual exclusions with the following restrictions: ScanTrigger:OnAccess, ScanTrigger:BM, and Process:. For more information on how to set these exclusions, see Contextual file and folder exclusions.

The default value Disabled or 0 disables the inclusion of the contextually excluded paths.

Important

Including very large directories in quick scans might significantly increase the time it takes for the quick scan to complete.

For more information on how to use PowerShell with Microsoft Defender Antivirus, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.

Use the MpCmdRun command-line tool to run a quick scan

  1. Open an elevated Command Prompt (a Command Prompt window you opened by selecting Run as administrator). For example:

    1. Open the Start menu, and then type cmd.
    2. Right-click on the Command Prompt result, and then select Run as administrator.

  2. In the elevated Command Prompt, run the following commands:

    Tip

    The first command changes the directory to the latest version of <antimalware platform version> in %ProgramData%\Microsoft\Windows Defender\Platform\<antimalware platform version>. If that path doesn't exist, it goes to %ProgramFiles%\Windows Defender.

    (set "_done=" & if exist "%ProgramData%\Microsoft\Windows Defender\Platform\" (for /f "delims=" %d in ('dir "%ProgramData%\Microsoft\Windows Defender\Platform" /ad /b /o:-n 2^>nul') do if not defined _done (cd /d "%ProgramData%\Microsoft\Windows Defender\Platform\%d" & set _done=1)) else (cd /d "%ProgramFiles%\Windows Defender")) >nul 2>&1

MpCmdRun.exe -Scan -ScanType 1

For more information about MpCmdRun and the different -ScanType values, see Configure and manage Microsoft Defender Antivirus with the MpCmdRun command-line tool.

Use Windows Management Instrumentation (WMI) to run a scan

Use the Start method of the MSFT_MpScan class.

For more information about which parameters are allowed, see Windows Defender WMIv2 APIs

Tip

If you're looking for Antivirus related information for other platforms, see:

  • Last updated on