![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 3%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Defender | Microsoft Defender for Office 365
Protection against phishing, malware, and other threats targeting email and collaboration tools in Microsoft 365
When Microsoft Defender reports “Remediation failed” for a severe threat, it means Defender detected the malware but could not fully clean, quarantine, or remove it.
Take these steps to remove the threat and stabilize the device:
- Check Protection History for details and required actions
- Open Windows Security → Virus & threat protection → Protection history.
- Look for the Remediation incomplete or similar entry for the severe threat.
- Select the entry to expand it and review the recommended additional steps. Protection History explicitly indicates when Defender could not finish cleaning and what the user must do next.
- Run a full scan and, if needed, an offline scan
- In Virus & threat protection, run a Full scan to ensure no additional components are present.
- If the same malware keeps coming back or the system behaves suspiciously, run Microsoft Defender Offline:
- Go to Start > Settings > Update & Security > Windows Security > Virus & threat protection.
- Under Current threats, select Scan options.
- Select Windows Defender Offline scan and then Scan now.
- The PC will restart and scan outside of Windows, which helps remove hidden or persistent malware.
- Manually handle files Defender cannot remediate
- If the threat is inside a compressed archive (.zip) or on a network share, Defender might not be able to fully remediate it.
- For a compressed file:
- Browse to the file, right‑click it, and select Scan with Windows Defender.
- If threats are detected, choose the appropriate action (remove or quarantine). If still not remediated, delete the archive manually.
- For a file on a network share:
- Open the share, right‑click the file, and select Scan with Windows Defender.
- If threats are detected, remove or quarantine them, or delete the file from the share.
- Ensure Defender is up to date and error‑free
- If Defender repeatedly encounters errors during scans or removal, do the following:
- Run Windows Update to install the latest fixes and security components.
- If update errors persist, manually install the latest protection updates from Microsoft as described in the malware troubleshooting guidance.
- This helps resolve noncritical errors like Event ID 1118 (MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED), where Defender attempted an action but failed.
- If Defender repeatedly encounters errors during scans or removal, do the following:
- Configure remediation behavior (optional, for future protection)
- In managed environments (Intune, Group Policy, Configuration Manager), verify that remediation is configured to automatically quarantine or remove high and severe threats:
- With Intune, use an Antivirus policy (profile: Microsoft Defender Antivirus) and set remediation actions for High and Severe threats under Allow On Access Protection.
- With Group Policy, under Computer Configuration → Administrative Templates → Windows components → Microsoft Defender Antivirus, ensure Turn off routine remediation is Disabled so threats are remediated automatically.
- In managed environments (Intune, Group Policy, Configuration Manager), verify that remediation is configured to automatically quarantine or remove high and severe threats:
- If malware keeps returning
- Re‑infection can occur if an undetected component is reinstalling the malware or if the same malicious website/email is revisited.
- Avoid suspicious sites and attachments, use a modern browser such as Microsoft Edge with Microsoft Defender SmartScreen, and keep Windows updated.
- If the same threat is repeatedly detected even after an offline scan, consider more advanced cleanup or professional support, and as a last resort a Windows reset.
These steps address both the immediate “remediation failed” state and help prevent recurrence.
References: