Microsoft Defender Offline scan can purge deeply embedded malware that resists removal while Windows is running. Unlike a standard quick or full scan, this tool restarts your PC into a minimal, pre-boot environment. From there, it scours the file system for rootkits, persistent trojans, and other threats that hide from the live OS. The process is built into Windows Security, but many users trigger it without understanding when it’s necessary—or what to check before the reboot.

Microsoft introduced offline scanning with Windows Defender Offline back in the Windows 8 era. On Windows 10 and Windows 11, the feature lives inside Windows Security under Virus & threat protection > Scan options. You’ll find it listed as Microsoft Defender Offline scan. Selecting it immediately prompts a 15-second countdown, followed by an automatic restart. There is no pause or cancel button past the final confirmation. That abruptness catches people off guard, especially if they have unsaved work or critical tasks running.

When to Use Defender Offline Scan

Defender Offline is not a daily driver. It’s a surgical tool for infections that survive normal detection. Here are the prime scenarios:

  • Rootkit or bootkit infection: These hide below the operating system level. A standard scan won’t see them because the malware loads before Windows does. Offline scan boots from a clean environment, spotting hidden drivers and boot records.
  • Persistent malware that regenerates: Some threats rewrite themselves or spawn new processes each time the PC starts. Offline scan can disarm them before they have a chance to launch.
  • Unable to install or run updates: Malware sometimes blocks Windows Update or Defender signature downloads. An offline scan may remove the blocker so you can patch the system.
  • Suspicious behavior after a full scan shows clean: If your machine slows to a crawl, displays pop-ups, or shows odd network activity, yet a full scan finds nothing, an offline scan is a prudent next step.

Don’t use it as a first response to a minor nuisance. A full scan inside Windows is faster and can handle most non-rootkit malware. Reserve offline scanning for when you suspect a deep, stealthy infection.

How to Start the Scan

Launching Defender Offline takes only a few clicks, but the exact route depends on your Windows version. Here’s the common path:

  1. Open the Start menu, type Windows Security, and press Enter.
  2. Click Virus & threat protection.
  3. Under Current threats, click Scan options (it’s a small link below the Quick scan button).
  4. In the list, select Microsoft Defender Offline scan.
  5. Click Scan now.

One gotcha: on Windows 10, the label may still read Windows Defender Offline scan. Functionally, they are identical. After clicking Scan now, a prompt warns that the computer will restart in about one minute. Save anything open and close all applications before that countdown expires. If you miss the window, the machine restarts anyway—without saving your work.

What Happens During the Reboot

Once the countdown ends, Windows shuts down and boots into a special recovery environment. You’ll see a dark screen with the Defender logo and a progress bar. The scan typically takes 15 to 30 minutes, but heavily populated drives can extend that to over an hour. The interface shows the number of files scanned and any threats detected.

While it runs, the PC is offline—no network activity, no user interaction. You can’t pause or customize the scan scope. It checks all fixed drives, including secondary HDDs and SSDs, but may skip removable media. Encryption software, like BitLocker, doesn’t interfere because the recovery environment can unlock the drive using the same TPM that Windows uses.

When the scan finishes, the system automatically reboots back into normal Windows. The Defender interface doesn’t pop up immediately, so users often wonder if it even ran. The results are logged silently and visible only in Protection history.

Checking Results and Taking Action

After the reboot, here’s how to verify the outcome:

  • Go to Windows Security > Virus & threat protection.
  • Click Protection history.
  • Look for an event titled Microsoft Defender Offline scan completed with today’s timestamp. Expand it to see details.

If threats were found, Protection history lists each one with its severity, file location, and the action Defender took. Defender Offline will automatically quarantine or remove most threats. It doesn’t ask for permission during the offline scan. However, in rare cases, a threat might be marked as “allowed” if it’s in a location that triggers a false positive. You can manually remove those from the history by expanding the entry and choosing Remove.

Should the scan find a rootkit or bootkit, it will attempt a repair of the Master Boot Record (MBR) or EFI system partition. After such a repair, Windows should boot normally, but it’s wise to run sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth afterward to fix any system file corruption.

Troubleshooting Common Issues

Scan never started, and PC rebooted normally

This can happen if the Windows Recovery Environment (WinRE) is damaged or if Secure Boot prevents the offline scanner from loading. Check these potential culprits:

  • Corrupted WinRE: Open an elevated Command Prompt and run reagentc /info. If WinRE is disabled, enable it with reagentc /enable.
  • Fast Startup interference: On some laptops, Fast Startup can skip the offline scan boot. Disable Fast Startup temporarily in Power Options.
  • Outdated Defender signatures: Ensure the antivirus definitions are current before launching the scan. Run a standard quick scan or use Update & Security > Windows Update to pull the latest intelligence.

Scan hangs or appears stuck

If the progress bar freezes for more than two hours, you can force-restart the machine by holding the power button. The PC should boot back into Windows normally. After logging in, check Protection history; sometimes the scan actually completed but the UI hung. If no results appear, try the scan again after updating definitions and disabling any third-party antivirus temporarily.

PC fails to boot after offline scan

This is a red flag: the scan may have removed a critical system file misidentified as malware. Boot into Recovery Mode (turn on, force-off three times), then:

  1. Choose Troubleshoot > Advanced options > Command Prompt.
  2. Run sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows (adjust drive letter if needed).
  3. Alternatively, use System Restore to roll back to a point before the scan.

If you can’t reach Recovery Mode, use a Windows installation USB to access the command prompt.

Defender Offline vs. Full Scan vs. Microsoft Safety Scanner

Microsoft offers multiple scanning depths, and it’s easy to confuse them. Here’s a quick comparison:

Scan Type Environment Scope When to Use
Quick scan Inside Windows Common malware hiding spots (registry, startup folders) Daily or weekly quick checks
Full scan Inside Windows All files and running processes Suspected infection but system still functional
Defender Offline Pre-boot recovery All files, boot sectors, hidden drivers Rootkits, persistent malware, failed full scans
Microsoft Safety Scanner Standalone tool (portable) All files, on-demand Second opinion, no installation required, single-use

Defender Offline’s key advantage is its ability to examine disk areas that are locked during normal operation. The Safety Scanner is a downloadable executable that also does a deep clean but runs inside Windows. It’s not as effective against active rootkits but can be a good alternative if the offline scan won’t launch.

Best Practices Before You Click “Scan Now”

A forced restart can cost you work. Here’s a checklist:

  • Save everything. The 15-second warning gives little time. Hit Ctrl+S in all applications before navigating to Scan options.
  • Warn others. On a shared machine, alert anyone connected remotely or working on a different user session.
  • Plug in laptops. An offline scan can drain a laptop battery if it runs long. Keep AC power connected.
  • Update definitions manually. In Windows Security, go to Virus & threat protection > Check for updates to ensure you have the latest signatures before launching.
  • Disconnect external drives you don’t want scanned. While the offline scan usually targets internal drives, it’s safer to unplug backup drives unless you suspect infection there.
  • Set a System Restore point. This provides a fallback if something goes wrong. Search Create a restore point, select the system drive, and click Create.
  • Note your BitLocker recovery key. If your device is encrypted and the offline scan can’t unlock the drive, you might need the recovery key to boot. Have it handy.

Security Beyond a Single Scan

Defender Offline is powerful, but it’s not a silver bullet. Persistent attackers can re-infect a cleaned system through network shares, email attachments, or unpatched vulnerabilities. After a successful cleanup:

  • Run Windows Update immediately and install all pending patches.
  • Change passwords for online accounts, especially if credential theft is suspected.
  • Enable Microsoft Defender’s cloud-delivered protection and automatic sample submission for faster outbreak response.
  • Check Startup in Task Manager and browser extensions for malicious entries that might have been added after the scan.

For business environments, consider deploying Microsoft Defender for Endpoint, which offers endpoint detection and response (EDR) capabilities far beyond standalone scans.

The Verdict

Microsoft Defender Offline scan remains one of the most effective, zero-cost weapons against rootkits and stealthy malware on Windows. Its tight integration with Windows Security means no extra downloads or bootable USB creation—just a restart. The catch is that users must understand when and why to use it. Firing it off for a simple adware pop-up overkills and disrupts workflow. But when a deep-cleaning is the only way to evict an entrenched foe, that reboot is the smartest click you’ll make all week.