Restore quarantined files in Microsoft Defender Antivirus

Depending on how Microsoft Defender Antivirus is configured, it quarantines suspicious files. If you're certain a quarantined file isn't a threat, you can restore it on your Windows device.

Prerequisites

Supported operating systems

• Windows

Using the Windows Security app

1. On your Windows device, open Windows Security.

2. Select Virus & threat protection and then, under Current threats, select Protection history.

3. If you have a list of items, you can filter on Quarantined Items.

4. Select an item you want to keep, and choose an action, such as Restore.

Using the MpCmdRun command line

1. To show all quarantined files, run the following command in an elevated Command Prompt (a Command Prompt window you opened by selecting Run as administrator):

   "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -ListAll
   

2. In the same elevated Command Prompt window, use the following syntax to restore a quarantined file:

   "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -Name <filename>
   

Download or collect the file

Selecting Download file from the response actions allows you to download a local, password-protected .zip archive containing your file. A flyout appears where you can record a reason for downloading the file, and set a password. By default, you should be able to download files that are in quarantine.

The Download file button can have the following states:

• Active - You're able to collect the file.
• Disabled - If the button is grayed out or disabled during an active collection attempt, you might not have appropriate permissions to collect files.

For more information, see Download or collect file.

See also

• Configure remediation for scans
• Review scan results
• Address false positives/negatives in Microsoft Defender for Endpoint