Configure and run on-demand Windows Defender Antivirus scans

Applies to:

You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.

Quick scan versus full scan

Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.

Combined with always-on real-time protection capability--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.

In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.

A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.


By default, quick scans run on mounted removable devices, such as USB drives.

Use Configuration Manager to run a scan:

See Antimalware and firewall tasks: How to perform an on-demand scan for details on using System Center Configuration Manager (current branch) to run a scan.

Use the mpcmdrum.exe command-line utility to run a scan:

Use the following -scan parameter:

mpcmdrun.exe -scan -scantype 1

See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.

Use Microsoft Intune to run a scan:

  1. In Intune, go to Devices > All Devices and select the device you want to scan.

  2. Select ...More and then select Quick Scan or Full Scan.

Use the Windows Security app to run a scan:

See Run a scan in the Windows Security app for instructions on running a scan on individual endpoints.

Use PowerShell cmdlets to run a scan:

Use the following cmdlet:


See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to run a scan:

Use the Start method of the MSFT_MpScan class.

See the following for more information and allowed parameters: