How to Run Microsoft Defender Offline Scan on Windows 11
🔍 WiseChecker

How to Run Microsoft Defender Offline Scan on Windows 11

by

Quick fix: Open Windows Security → Virus & threat protection → Scan options, choose Microsoft Defender Antivirus (offline scan), click Scan now. The PC reboots into a minimal environment for the scan, then returns to Windows.

You suspect malware that hides while Windows is running — rootkits, bootkits, or sophisticated persistence mechanisms. Standard scans can’t detect these because the malware loads before Defender. Defender Offline scan boots into a minimal pre-OS environment where the malware can’t run, then scans your full system.

Symptom: Suspect persistent malware not detected by regular scans; need offline scan.
Affects: Windows 11 (and Windows 10) with Microsoft Defender enabled.
Fix time: ~15-30 minutes (depending on drive size).

ADVERTISEMENT

What causes this

Some malware hooks into Windows’ boot process or kernel before Defender can scan. The malware hides itself from anti-malware tools running in user mode. Defender Offline boots from a small recovery partition into Windows Defender alone — no other processes are running, no kernel hooks active. From this clean environment, all files on disk are scannable.

Method 1: Run Defender Offline scan via Windows Security UI

The standard approach.

  1. Save your work and close all apps. Defender Offline requires a reboot.
  2. Open Windows Security (search “Windows Security” in Start, or click the shield in the system tray).
  3. Click Virus & threat protection.
  4. Under Current threats, click Scan options.
  5. Select Microsoft Defender Antivirus (offline scan).
  6. Click Scan now.
  7. Confirm the prompt about restart. Click Scan.
  8. The PC reboots into the offline scan environment. The screen shows the Defender Offline UI with a progress bar.
  9. Scan takes 15-30 minutes depending on drive size. Don’t interrupt.
  10. When complete, the PC reboots automatically into Windows.
  11. Open Windows Security → Virus & threat protection → Scan history to see the scan’s findings.

This is the right tool for suspected hidden malware.

ADVERTISEMENT

Method 2: Run via PowerShell for scriptable scanning

For IT or automated maintenance.

  1. Open Terminal (Admin).
  2. Trigger an offline scan: 
    Start-MpWDOScan
  3. The PC reboots after a brief warning. Scan runs.
  4. To check scan history afterward: 
    Get-MpThreatDetection
  5. For threat history: 
    Get-MpThreatCatalog | Where-Object DetectionTime -gt (Get-Date).AddDays(-7) | Format-List
  6. This is the right approach for IT to deploy via Group Policy or scheduled task.

PowerShell automation lets you run Defender Offline scans without UI interaction.

Method 3: Run an alternative offline scanner if Defender Offline doesn’t catch the issue

For deeper threats Defender misses.

  1. Microsoft Safety Scanner: free, separate from Defender. Download from microsoft.com/wdsi/products/scanner. Runs from Windows but with elevated capabilities.
  2. Kaspersky Rescue Disk: bootable USB scanner. Download ISO from kaspersky.com, write to USB with Rufus, boot from USB, scan. Independent of installed Windows.
  3. ESET SysRescue Live: similar bootable scanner.
  4. Malwarebytes: install in Windows; run a full scan. Effective for adware and PUPs that traditional AV misses.
  5. Multiple scanners help because each has different detection heuristics. Running both Defender Offline and one alternative gives broader coverage.

This is the right approach for genuinely suspicious systems where Defender alone returns clean but symptoms persist.

How to verify the scan worked

  • After PC returns to Windows, open Windows Security → Virus & threat protection → Protection history.
  • The most recent entry shows Defender Offline scan with completion time.
  • If threats were found, they’re listed with action (Removed, Quarantined).
  • Run Get-MpComputerStatus | Select-Object LastFullScanTime, LastFullScanSource in PowerShell. Should show recent scan time.

If none of these work

If Defender Offline doesn’t run, three causes apply. Recovery partition issue: Defender Offline boots from your recovery partition. If it’s damaged, the scan can’t initialize. Repair via Settings → System → Recovery → Reset this PC if needed. Group Policy block: corporate-managed PCs may have offline scan disabled. Contact IT. BitLocker: scans of BitLocker-encrypted drives may require recovery key. Suspend BitLocker before running Defender Offline if the scan fails to initialize properly. For suspected sophisticated persistent threats despite multiple clean scans, the safest action is a full disk wipe and clean Windows install — copy out only the documents you absolutely need (and scan them before opening on the rebuilt system).

Bottom line: Defender Offline scan boots into a minimal environment to catch malware that hides during normal Windows. Run via Windows Security → Scan options or PowerShell’s Start-MpWDOScan.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You