How to Start Microsoft Defender Offline Scan in Windows 10/11

Malware is more complex today than it was many years ago. It operates at the filter driver, service, or rootkit level, and eliminating it is tough. Sometimes, you need to boot to the Windows RE environment and then delete the core malware files and services added to your Windows installation.

Microsoft Defender Offline takes care of this situation by running a quick scan even before the Operating System loads. When Defender detects a rootkit or any other tough malware when Windows is running, it suggests you run an offline scan, showing the following message or similar.

microsoft defender offline scan - notification

Scan offline

We found malware on your device. Run an offline scan to remove it. Your PC will restart.

(or)

Additional cleaning required.
To complete the cleaning process your PC needs to be rebooted and cleaned with Microsoft Defender Offline. This will take approximately 15 minutes. Please save all your files before clicking on the button.

How to Start “Microsoft Defender Offline” Scan

Microsoft Defender Offline is an integrated feature in Windows 10 and 11. To start Defender Offline scan, use one of the following methods:

Method 1: Start Microsoft Defender Offline scan using GUI

Open Windows Security, click Virus and threat protection, and click “Scan options.”

Microsoft Defender Offline scan - Virus and threat protection - Windows Security

Select Microsoft Defender Offline scan, and click Scan now.

Microsoft Defender Offline downloads a light-weight offline scanner, restarts the system, and runs a scan before loading Windows.

The light-weight offline scan image is about ~2 MB, comprising the following files:

EppManifest.dll
mpasdesc.dll
MpClient.dll
MpCmdRun.exe
MpCommu.dll
MpSvc.dll
MpTpmAtt.dll
MsMpCom.dll
MsMpEng.exe
MsMpLics.dll
MsMpRes.dll
msseces.exe
OfflineScannerShell.exe
EN-US\MpSwpHelp.RTF
EN-US\MsMpRes.dll.mui
EN-US\offlinescannershell.exe.mui
EN-US\EppManifest.dll.mui
EN-US\EULA.RTF
EN-US\mpasdesc.dll.mui

Presumably, OfflineScannerShell.exe powers the scan in Windows RE, including locating the correct Operating System against which the scan has to be run. It’s completely automated and preconfigured to run a Quick scan using the definitions already in the system.

You’ll be prompted that you’re about to be signed out of Windows. After you are, your PC should restart. Microsoft Defender Offline will load and perform a quick scan of your PC in the recovery environment. There is no option to choose “Full scan” during the Microsoft Defender Offline scan.

microsoft defender offline scan - loading screen

When the scan has finished, your PC will automatically restart.

To see the Microsoft Defender Offline scan results:

  • Launch Windows Security > Virus & threat protection.
  • On the Virus & Threat protection screen, under Current threats, select Scan options and Protection history.

Note: If the offline scan didn’t detect any malware, the Protection history page doesn’t show anything about the last offline scan.


Method 2: Start Microsoft Defender Offline scan using a protocol command

Right-click Start, and click Run.

Type windowsdefender://wdoscan/ and click OK.

You’ll see the following dialog now:



Microsoft Defender Offline scan - Virus and threat protection - Windows Security

Save your work

Microsoft Defender Offline scan will take some time and restart your device. Save all work before continuing.

After saving your work and closing all apps, click on the Scan button to start the Defender offline scan.

To learn more about other windowsdefender:// protocol commands, see the article Windows Security URL Shortcuts for Each Page (WindowsDefender://).


Method 3: Start Microsoft Defender Offline scan Using PowerShell

Previously, the Microsoft Defender offline scan could only be initiated using the following PowerShell or if Microsoft Defender Antivirus automatically suggests an offline scan when dealing with complex malware.

To start Windows Defender Offline scan using PowerShell, launch PowerShell as Administrator, and then run the following command:

Start-MpWDOScan

windows defender offline in anniversary update

Press ENTER. The system will restart automatically within a minute and complete a quick scan in offline mode.


Microsoft Defender Offline Scan log

The Microsoft Defender Offline scan log is stored in “C:\Windows\Microsoft Antimalware\Support\msssWrapper.log“. If any threats were encountered during the scan, it will be recorded in the log as well as in the Windows Security → Protection history page. For more information, check out the article Microsoft Defender Offline Scan Stops at 91%?.

defender offline - threat history in windows security

Related

Help protect my PC with Windows Defender Offline – Windows Help

Start-MpWDOScan (Defender) | Microsoft Learn

Microsoft Defender Offline Scan Stops at 91%?

(This post has been last modified on April 29, 2024.)


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

3 thoughts on “How to Start Microsoft Defender Offline Scan in Windows 10/11”

  1. I tried the WINDOWS defender offline scan with ,windows powershell as an administrator but when i hit enter , it says –

    Start -MPWDOScan : provider load failure At Line :1 char :1 + Start -MPWDOScan + ~~~~~~~~ + category info : Notspecified: (MSFT_MpWDOScan:ROOT\Microsoft\ . . .\MSFT_MpWDOScan) [Start -MPWDOScan], CimException + FullyQualifiedErrorId : HRESULT 0x80041013,Start -MPWDOScan

    Any help

    Reply

Leave a Comment