Configure and run on-demand Microsoft Defender Antivirus scans

Applies to:


  • Windows

You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. When you run a scan, you can choose from among three types: Quick scan, full scan, and custom scan. In most cases, use a quick scan. A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.

Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware. In most cases, a quick scan is sufficient and is the recommended option for scheduled or on-demand scans. Learn more about scan types.


Microsoft Defender Antivirus runs in the context of the LocalSystem account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.

Use Microsoft Endpoint Manager to run a scan

  1. Go to the Microsoft Endpoint Manager admin center ( and log in.

  2. Choose Endpoint security > Antivirus.

  3. In the list of tabs, select Windows 10 unhealthy endpoints or Windows 11 unhealthy endpoints.

  4. From the list of actions provided, select Quick Scan (recommended) or Full Scan.

    Scan options on the Windows 10 unhealthy endpoints tab.


For more information about using Microsoft Endpoint Manager to run a scan, see Antimalware and firewall tasks: How to perform an on-demand scan.

Use the mpcmdrun.exe command-line utility to run a scan

Use the following -scan parameter:

mpcmdrun.exe -scan -scantype 1

For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus.

Use Microsoft Intune to run a scan

  1. Go to the Microsoft Endpoint Manager admin center ( and log in.

  2. From the sidebar, select Devices > All Devices and choose the device you want to scan.

  3. Select ...More. From the options, select Quick Scan (recommended) or Full Scan.

Use the Windows Security app to run a scan

See Run a scan in the Windows Security app for instructions on running a scan on individual endpoints.

Use PowerShell cmdlets to run a scan

Use the following cmdlet:


For more information on how to use PowerShell with Microsoft Defender Antivirus, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.

Use Windows Management Instruction (WMI) to run a scan

Use the Start method of the MSFT_MpScan class.

For more information about which parameters are allowed, see Windows Defender WMIv2 APIs