When your antivirus keeps flagging the same infection, or a piece of malware reappears every time you reboot, a normal scan is not enough. Some threats load before Windows finishes starting, then hide from any tool that runs inside the live operating system. A Microsoft Defender Offline scan helps with exactly this problem by running before Windows loads, in a clean recovery environment where stubborn malware has a harder time hiding. This guide walks you through running that scan on Windows 11 and Windows 10, plus the protection settings worth checking first so the scan can actually do its job.
Opening Windows Security the reliable way
Everything you need lives in the Windows Security app, which is the built-in front end for Microsoft Defender Antivirus on both Windows 11 and Windows 10. There is no separate offline scan tool to download on modern Windows; the feature is part of this app already.
The safest way to open it on either version is to search for Windows Security in the Start menu and select it. If you prefer the Settings route, it differs by version. On Windows 11, go to Settings > Privacy and security > Windows Security. On Windows 10, go to Settings > Update and Security > Windows Security, then select Open Windows Security if prompted.
If you are on Windows 10 in S mode, note that the Virus and threat protection screen offers fewer options than the standard editions. The core scanning functions described here still apply.
Finding the Virus and threat protection screen
Once the app is open, select Virus and threat protection. This single screen is where you run scans and manage Microsoft Defender Antivirus settings, so you will return to it for every step below.
There is also a shortcut that jumps straight to these settings without clicking through the app. Paste the URI windowsdefender://threatsettings/ into the Start menu search or the Run box, and it opens Virus and threat protection settings directly on both Windows 11 and Windows 10.
Confirming real-time protection is actually on
Before scanning, it is worth confirming your baseline protection is active. On the Virus and threat protection screen, go to Virus and threat protection settings and select Manage settings, then check that Real-time protection is toggled On.
If it is off, there are a few documented reasons. A compatible non-Microsoft antivirus may be installed, in which case Defender automatically turns itself off. Tamper Protection may be on, which has to be off before the toggle will respond. Or an organization administrator may have blocked the setting on a managed device.
There is one helpful safeguard built in: if real-time protection gets turned off manually, Windows re-enables it automatically after a short while. So even if something or someone disabled it, the system tends to restore protection on its own.
What Tamper Protection is guarding
Tamper Protection exists to stop malicious apps from quietly changing key Microsoft Defender Antivirus settings, specifically Real-time protection and Cloud-delivered protection. This matters because some malware tries to disable your defenses before doing damage.
With Tamper Protection on, an administrator can still change those settings inside the Windows Security app, but other apps cannot touch them. It does not affect how third-party antivirus apps work or how they register with Windows Security. You will find the toggle at Virus and threat protection > Manage settings > Tamper protection.
Turning real-time protection back on
If you found real-time protection switched off and want it back, follow these steps.
- 1.Open Windows Security.
- 2.Select Virus and threat protection.
- 3.Under Virus and threat protection settings, select Manage settings.
- 4.Switch Real-time protection to On.
If the toggle is grayed out, Tamper Protection is likely the cause. Turn Tamper protection off first while signed in as an administrator, then switch Real-time protection on. Keep in mind that if you turned real-time protection off manually, Windows turns it back on automatically after a short while, so you may not need to intervene at all.
Running a full scan first
A full scan is a sensible step before going offline, because it checks every file and program on your device while Windows is running. It is more thorough than the default Quick scan, which only checks the folders where threats are commonly found.
- 1.On the Virus and threat protection screen, look under Current threats and select Scan options.
- 2.Choose Full scan.
- 3.Select Scan now.
If you only want to check specific locations, the Custom scan option scans only the files and folders you select, which is faster when you already suspect where a problem lives.
Launching the Microsoft Defender Offline scan
This is the main event. The offline scan is the right tool when you suspect malware that a normal scan cannot clear, or when you simply want to scan with Windows out of the picture.
Save any open files before you begin, because your device will restart. The scan does not run inside your normal Windows session. Instead, the PC restarts and the scan runs in the Windows Recovery Environment, without loading Windows, which is why persistent malware has a harder time hiding or defending itself. When the scan finishes, the PC restarts automatically.
- 1.On the Virus and threat protection screen, under Current threats, select Scan options.
- 2.Choose Microsoft Defender Antivirus (offline scan).
- 3.Select Scan now.
- 4.Confirm the restart and let the scan complete; do not force a shutdown while it runs.
Because the scan operates in the recovery environment with Windows unloaded, it can find threats that have a harder time hiding when Windows is not running to defend them.
Checking what the offline scan found
The offline scan runs in the recovery environment rather than your normal Windows session, so you will want to review the results once it is done. After the scan completes and Windows reloads, open the Windows Security app again.
Select Protection history to see what was detected and any actions that were taken, such as items quarantined or removed. This is your record of whether the offline scan caught anything and what it did about it.
If you are still seeing signs of infection after all of this, Microsoft publishes an official follow-up resource titled "Troubleshoot problems with detecting and removing malware" that covers additional steps for stubborn cases.
Frequently Asked Questions
Do I need to download anything to run a Defender Offline scan?
No. On modern Windows 11 and Windows 10, the offline scan is built into the Windows Security app, which is the front end for Microsoft Defender Antivirus. There is no separate downloadable Defender Offline tool to install.
Will my computer restart during the offline scan?
Yes. The offline scan runs in the Windows Recovery Environment without loading Windows, so your device restarts to begin it and restarts again automatically when it finishes. Save any open files before you start so you do not lose unsaved work.
Why is my real-time protection turned off?
There are a few documented reasons: a compatible non-Microsoft antivirus is installed and Defender has turned itself off automatically, Tamper Protection is on and must be turned off first, or an organization administrator has blocked the setting. If it was switched off manually, Windows re-enables it automatically after a short while.
What is the difference between a full scan and an offline scan?
A full scan checks every file and program on your device while Windows is running. An offline scan restarts the PC and runs in the Windows Recovery Environment without loading Windows, which lets it find persistent malware that has a harder time hiding when the live operating system is not running.
Where can I see what the offline scan removed?
After the scan finishes and Windows reloads, open the Windows Security app and select Protection history. That screen shows what was found and any actions that were taken.
