Microsoft Defender Offline is a powerful anti-malware tool that allows you to perform a deep scan in a secure, offline environment. This ensures thorough detection and removal of stubborn threats like rootkits and boot-sector viruses that can evade standard scans within Windows.
What is Microsoft Defender Offline Scan?
Microsoft Defender Offline Scan is an essential anti-malware utility designed to run outside of the normal Windows operating system. This unique approach lets it effectively target and eliminate malware, such as rootkits and bootkits, that hide deep within your system or even replace the Master Boot Record (MBR). By operating outside the active OS, it bypasses malware’s defenses, offering a cleaner and more reliable scan.
This tool is especially useful when you suspect a persistent malware infection or need to validate that your system is thoroughly clean after a security incident. It provides an extra layer of assurance beyond regular antivirus scans.
Prerequisites for Running Defender Offline Scan
Before you initiate a Microsoft Defender Offline scan, ensure your system meets these prerequisites:
-
Supported Operating Systems:
- Windows 11 (x64)
- Windows 10 (x64/x86)
- Windows 8.1 (x64/x86)
- Windows 7 Service Pack 1 (x64/x86)
Caution: Microsoft Defender Offline Scan is not compatible with ARM versions of Windows 11 and Windows 10, or Windows Server SKUs.
-
Microsoft Defender Antivirus as Primary Antivirus: Ensure Microsoft Defender Antivirus is your primary antivirus solution and not running in passive mode.
-
Up-to-date Antivirus Definitions: Keep your Microsoft Defender Antivirus updated with the latest definitions, just as you normally manage updates for your endpoints.
-
Local Administrator Privileges: The user running the scan must have local administrator rights on the system.
-
Windows Recovery Environment (WinRE) Enabled: WinRE must be enabled for the offline scan to function correctly.
Note: If WinRE is disabled, the Defender Offline scan will not run, and no error message will be displayed. To check WinRE status, run
reagentc /infoin Command Prompt. If disabled, enable it withreagentc /enable.
When to Use Defender Offline Scan?
Microsoft Defender Antivirus is designed to detect when an offline scan is necessary. If it determines that a Defender Offline scan would be beneficial, it will notify you. This notification can appear as a pop-up message:
You’ll also see a notification within the Microsoft Defender Antivirus interface. For managed devices using Intune, these notifications are also visible in the Intune console.
In environments managed by Configuration Manager, you can check endpoint status by navigating to Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status. A required Microsoft Defender Offline scan is indicated under Malware remediation status as Offline scan required.
Configuring Defender Offline Scan Notifications
Notifications for Microsoft Defender Offline are managed through the same policy settings as other Microsoft Defender Antivirus alerts. You can customize how these notifications appear to users. For detailed information, refer to Configure the notifications that appear on endpoints.
Methods to Run a Defender Offline Scan
Before proceeding with a Defender Offline scan, ensure you save all your work and close running applications. The scan typically takes around 15 minutes, and your computer will restart upon completion. The user interface during the scan will look different from a standard Windows Defender scan as it operates outside of Windows.
You can initiate a Microsoft Defender Offline scan using these methods:
1. Using the Windows Security App
For Windows 10 (version 1607 and later) and Windows 11, the easiest way to launch Defender Offline Scan is through the Windows Security app:
-
Open the Windows Security app.
-
Click on Virus & threat protection.
-
Select Scan options.
-
Choose the Microsoft Defender Offline scan radio button.
-
Click Scan now.
The process begins from
C:ProgramDataMicrosoftWindows DefenderOffline Scanner. -
You will be prompted to save your work. Click Scan after saving.
-
A User Account Control prompt will appear asking for permission to make changes. Select Yes.
-
You’ll see a notification informing you about the sign-out and imminent shutdown.
-
Your computer will restart and initiate the Microsoft Defender Offline scan. You’ll observe the scan progress on screen.
2. Using PowerShell Cmdlets
You can also use PowerShell to start an offline scan with the following cmdlet:
Start-MpWDOScanFor more details on using PowerShell with Microsoft Defender Antivirus, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.
3. Using Windows Management Instrumentation (WMI)
For more advanced management, you can use WMI to initiate a Defender Offline scan using the MSFT_MpWDOScan class.
The following WMI command will immediately trigger a Microsoft Defender Offline scan, restarting the endpoint, performing the scan, and then rebooting back into Windows:
wmic /namespace:\rootMicrosoftWindowsDefender path MSFT_MpWDOScan call StartRefer to Windows Defender WMIv2 APIs for more information.
4. For Windows 7 SP1 and Windows 8.1: Using Bootable Media
On older operating systems like Windows 7 SP1 and Windows 8.1, you need to create bootable media (CD, DVD, or USB drive) to run Defender Offline:
-
Download Windows Defender Offline: Download the appropriate version (32-bit or 64-bit) from the Microsoft Download Center. If unsure of your system type, see Is my PC running the 32-bit or 64-bit version of Windows?.
-
Create Bootable Media: Run the downloaded tool and follow the prompts to create a bootable CD, DVD, or USB flash drive. You’ll need a blank media with at least 250 MB of free space.
Tip: Create the bootable media on a clean PC to prevent malware interference during the process. If using a USB drive, it will be reformatted, so back up any important data first.
-
Boot and Scan:
a. Insert the bootable media into the infected PC and restart it.
b. Boot from the USB drive, CD, or DVD. You might need to adjust boot settings in your BIOS/UEFI to boot from removable media.
c. Microsoft Defender Offline will automatically start scanning and removing malware.
d. Once the scan is complete, reboot your computer and remove the media to start Windows normally. -
Malware Removal: Defender Offline will attempt to remove any detected malware.
If you encounter a blue screen error during the offline scan, restart your device and try again. If the issue persists, contact Microsoft Support.
Accessing Defender Offline Scan Results
To view the scan results in Windows 10 and Windows 11:
- Go to Start > Settings > Update & Security > Windows Security > Virus & threat protection.
- On the Virus & threat protection screen, under Current threats, select Scan options, and then Protection history. For more details, see Review threat detection history in the Windows Security app.
Verifying if Defender Offline Scan Was Initiated
You can check the Event Viewer to confirm if a Defender Offline scan was started:
-
Open Event Viewer.
-
Navigate to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational.
-
Look for Event ID 2030 (or Event ID 5007 on older Windows versions).
- Event ID 2030 (and 5007 on older versions): Indicates that “Microsoft Defender Antivirus downloaded and configured Microsoft Defender Antivirus (offline scan) to run on the next reboot.” or “Windows Defender Offline to run on the next reboot.” respectively.
This event confirms that the Defender Offline scan was successfully scheduled to run upon the next system restart.
Related Resources
For antivirus information related to other platforms, see: Microsoft Defender for Endpoint documentation.
Tip: Want to learn more or engage with the community? Join the Microsoft Security Tech Community for discussions and insights about Microsoft Defender for Endpoint.
