Configure and run on-demand Microsoft Defender Antivirus scans
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
- Microsoft Defender for Individuals
- Microsoft Defender Antivirus
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. When you run a scan, you can choose from among three types: Quick scan, full scan, and custom scan. In most cases, use a quick scan. A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware. In most cases, a quick scan is sufficient and is the recommended option for scheduled or on-demand scans. Learn more about scan types.
Important
Microsoft Defender Antivirus runs in the context of the LocalSystem account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to access the network share.
Use Microsoft Defender portal to run a scan
- Go to the Microsoft Defender portal (https://security.microsoft.com) and sign-in.
- Go to the device page that you would like to run a remote scan.
- Click on the ellipses (...).
- Click on Run Antivirus Scan.
- Under Select scan type, select the radio button for Quick Scan or Full Scan.
- Add a comment.
- Click on Confirm.
To check on the status:
- Under Actions & submissions, select Action Center and then select History tab.
- Click on Filters.
- Under the Action Type, check the box for Start antivirus scan.
- Click on Apply.
- Select one of the radio button.
- Under Action Status, you'll see the status such as Completed.
To check on the detections, see Review the results of Microsoft Defender Antivirus scans | Microsoft Learn
Use Microsoft Intune to run a scan
Use endpoint security to run a scan on Windows devices
Go to the Microsoft Intune admin center (https://intune.microsoft.com) and sign-in.
Choose Endpoint security > Antivirus.
In the list of tabs, select Windows 10 unhealthy endpoints or Windows 11 unhealthy endpoints.
From the list of actions provided, select Quick Scan (recommended) or Full Scan.
Tip
For more information about using Microsoft Configuration Manager to run a scan, see Antimalware and firewall tasks: How to perform an on-demand scan.
Use devices to run a scan on a single device
Go to the Microsoft Intune admin center (https://intune.microsoft.com) and sign-in.
From the sidebar, select Devices > All Devices and choose the device you want to scan.
Select ...More and select Quick Scan (recommended) or Full Scan from the options.
Use the Windows Security app to run a scan
For instructions on running a scan on individual endpoints, see Run a scan in the Windows Security app.
Use PowerShell cmdlets to run a scan
Use the following cmdlet:
Start-MpScan
Use PowerShell cmdlets to run a quick scan without excluding antivirus exclusions
Use the following cmdlet:
Set-MpPreference -QuickScanIncludeExclusions 1
Note
A value of 1
enables the inclusion of the antivirus excluded processes, folders, files, and extensions. A value of 0
(default) disables the inclusion of the antivirus excluded processes, folders, files, and extensions.
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.
Use the mpcmdrun.exe command-line utility to run a scan
Use the following -scan
parameter:
mpcmdrun.exe -scan -scantype 1
For more information on how to use the tool and other parameters, including starting a full scan or defining paths, see Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus.
Use Windows Management Instruction (WMI) to run a scan
Use the Start method of the MSFT_MpScan class.
For more information about which parameters are allowed, see Windows Defender WMIv2 APIs
Tip
If you're looking for Antivirus related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.