Configure scheduled quick or full Microsoft Defender Antivirus scans
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
In addition to always-on, real-time protection and on-demand antivirus scans, you can set up regular, scheduled antivirus scans. You can configure the type of scan, when the scan should occur, and if the scan should occur after a protection update or when an endpoint isn't being used. You can also set up special scans to complete remediation actions if needed.
What do you want to do?
- Learn about quick scans, full scans, and custom scans
- Use Group Policy to schedule antivirus scans
- Use Windows PowerShell to Schedule antivirus scans
- Use Windows Management Instrumentation to schedule antivirus scans
Keep the following points in mind
By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can manage the schedule for when protection updates should be downloaded and applied to override this default.
If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
Scheduled scans run according to the local time zone of the device.
Quick scan, full scan, and custom scan
When you set up scheduled scans, you can specify whether the scan should be a full or quick scan. In most cases, a quick scan is recommended; however, we also recommend that you run at least one full scan after installing or enabling Defender Antivirus. This scan provides an opportunity to find existing threats and helps populate the cache for future scans.
|Quick scan||(Recommended) A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
Combined with always-on, real-time protection, which reviews files when they're opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware.
In most cases, a quick scan is sufficient and is the recommended option for scheduled scans.
|Full scan||A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so).
A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.
When a full scan begins it uses the security intelligence definitions installed at the time the scan starts. If new security intelligence updates are made available during the full scan, another full scan is required in order to scan for new threat detections contained in the latest update.
Because of the time and resources involved in a full scan, in general, we do not recommend scheduling full scans.
|Custom scan||A custom scan runs on files and folders that you specify. For example, you can choose to scan a USB drive or a specific folder on your device's local drive.|
By default, quick scans run on mounted removable devices, such as USB drives.
How do I know which scan type to choose?
Use the following table to choose a scan type.
|Scenario||Recommended scan type|
|You want to set up regular, scheduled scans||Quick scan
A quick scan checks the processes, memory, profiles, and certain locations on the device. Combined with always-on real-time protection, a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they're opened and closed, and whenever a user navigates to a folder.
|Threats, such as malware, are detected on an individual device||Quick scan
In most cases, a quick scan will catch and clean up detected malware.
|You want to run an on-demand scan||Quick scan|
|You want to make sure a portable device, such as a USB drive, doesn't contain malware||Custom scan
A custom scan enables you to select specific locations, folders, or files, and runs a quick scan.
|You have just installed or re-enabled Microsoft Defender Antivirus||Full scan
Running a full scan after you've just enabled or installed Microsoft Defender Antivirus helps populate the cache for future scans. The full scan can also help detect existing threats on the device.
What else do I need to know about quick and full scans?
Malicious files can be stored in locations that aren't included in a quick scan. However, always-on real-time protection reviews all files that are opened and closed, and any files that are in folders that are accessed by a user. The combination of real-time protection and a quick scan helps provide strong protection against malware.
On-access protection with cloud-delivered protection helps ensure that all the files accessed on the system are being scanned with the latest security intelligence and cloud machine learning models.
When real-time protection detects malware and the extent of the affected files isn't determined initially, Microsoft Defender Antivirus initiates a full scan as part of the remediation process.
A full scan can detect malicious files that weren't detected by other scans, such as a quick scan. However, a full scan can take a while and use valuable system resources to complete.
If a device is offline for an extended period of time, a full scan can take longer to complete.
Scheduled Quick Scan Performance Optimization
As a performance optimization, Microsoft Defender Antivirus will skip running scheduled quick scans in some situations. This optimization only applies to a quick scan when initiated by a schedule – it doesn't affect a quick scan initiated by an on-demand antivirus scan. This optimization reduces performance degradation by avoiding running a quick scan when it isn't necessary and won't affect protection.
By default, if a qualified quick scan was run within the last seven days, a new quick scan won't be initiated. A quick scan is considered qualified if it occurs after the last Security Intelligence Update was installed, Real-Time Protection was not disabled during that period, and if the machine was rebooted.
This optimization doesn't apply to the following conditions:
If Microsoft Defender for Endpoint is Managed
If Microsoft Defender Endpoint Detection and Response (EDR) is installed
If the computer was restarted since the last quick scan
If Microsoft Defender for Endpoint Real-Time Protection has been disabled since the last quick scan occurred, including if it's currently disabled
If the last initiated quick scan wasn't completed
This optimization applies to machines running Windows 10 Anniversary Update (version 1607) and all subsequent Windows releases, as well as Windows Server 2016 (version 1607) and subsequent Windows Server releases, but doesn't apply to Core Server installations.
If you're looking for Antivirus related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Submit and view feedback for