Microsoft Defender for Endpoint enables security teams to initiate antivirus scans on remote devices directly from the cloud portal. This capability is essential for investigating potential infections, responding to alerts, and performing routine security checks without requiring physical access or end-user involvement.
Prerequisites
Before running remote scans, ensure:
- Device is onboarded to Microsoft Defender for Endpoint
- Device is online and communicating with the Defender cloud
- Appropriate permissions: Security Operator or Security Administrator role
- Microsoft Defender Antivirus is active (not in passive mode)
Understanding Scan Types
| Scan Type | Duration | Coverage | Use Case |
|---|---|---|---|
| Quick Scan | 5-20 minutes | Common malware locations | Routine checks, post-alert verification |
| Full Scan | 1-6+ hours | All files and folders | Suspected infection, periodic deep scan |
| Custom Scan | Varies | Specific paths | Targeted investigation |
Step 1: Navigate to the Device
- Sign in to the Microsoft Defender portal
- Go to Assets > Devices
- Search for the target device by name, IP, or user
- Click on the device to open its details page
- Verify the device shows Active status
Step 2: Initiate a Remote Scan
Run a Quick Scan
- On the device page, click the ... (ellipsis) menu in the top right
- Select Run antivirus scan
- Choose Quick scan
- Add an optional comment explaining why you're running the scan
- Click Confirm
The scan will start within a few minutes when the device next checks in.
Run a Full Scan
- On the device page, click the ... menu
- Select Run antivirus scan
- Choose Full scan
- Add a comment (recommended for audit trail)
- Click Confirm
Note: Full scans can take several hours. Consider scheduling these during off-hours or maintenance windows.
Step 3: Run Scans on Multiple Devices
Using Bulk Actions
- Go to Assets > Devices
- Use filters to select target devices:
- Filter by Device group
- Filter by Health state
- Filter by Tag
- Select multiple devices using checkboxes
- Click Actions in the toolbar
- Select Run antivirus scan
- Choose scan type and confirm
Using Device Groups
For routine scanning of specific device categories:
- Navigate to Settings > Endpoints > Device groups
- Identify or create a device group for target devices
- Use the group filter in device inventory
- Perform bulk scan action on the filtered list
Step 4: Monitor Scan Progress
Check Action Center
- Go to Actions & submissions > Action center
- Select the History tab
- Filter by:
- Action type: Antivirus scan
- Initiator: Your account
- View scan status: Pending, Running, Completed, Failed
Check Device Timeline
- Open the device details page
- Click on Timeline
- Filter events by Antivirus category
- Look for scan-related entries:
AntivirusScanInitiatedAntivirusScanCompletedThreatDetected(if malware found)
Review Scan Results
After scan completion, check results in the timeline:
Event: AntivirusScanCompleted
Scan Type: QuickScan
Start Time: 2025-01-15 14:30:00
End Time: 2025-01-15 14:35:42
Files Scanned: 45,231
Threats Detected: 0
If threats are detected, additional events will show:
- Threat name and category
- File path and hash
- Remediation action taken
Step 5: Run Custom Path Scans
For targeted investigations, scan specific folders:
Using PowerShell Live Response
- On the device page, click Initiate Live Response Session
- Wait for the session to connect
- Run a custom scan command:
# Scan a specific folder
Start-MpScan -ScanPath "C:\Users\username\Downloads" -ScanType CustomScan
# Scan multiple paths
$paths = @("C:\Temp", "D:\Shared", "C:\Users\Public")
foreach ($path in $paths) {
Start-MpScan -ScanPath $path -ScanType CustomScan
}
- Monitor scan output in the Live Response console
Using API
For automation, use the Microsoft Defender API:
# Initiate scan via API
curl -X POST "https://api.securitycenter.microsoft.com/api/machines/{machineId}/runAntiVirusScan" \
-H "Authorization: Bearer {access_token}" \
-H "Content-Type: application/json" \
-d '{"Comment": "Scan initiated via API", "ScanType": "Quick"}'
Step 6: Configure Scheduled Scans
For proactive protection, configure scheduled scans via policy:
Using Microsoft Intune
- Go to Intune admin center
- Navigate to Endpoint security > Antivirus
- Create a new policy or edit existing
- Configure scan settings:
| Setting | Recommended Value |
|---|---|
| Scheduled scan type | Quick scan |
| Scheduled scan day | Daily |
| Scheduled scan time | 12:00 (during lunch) |
| Check for signature updates before scan | Yes |
| Low CPU priority | Yes |
- Assign to device groups
Using Group Policy
For domain-joined devices:
- Open Group Policy Management
- Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan - Configure policies:
- Specify the scan type for scheduled scan: Quick scan
- Specify the day of the week to run a scheduled scan: Every day
- Specify the time of day to run a scheduled scan: 720 (12:00 PM)
Troubleshooting
Scan Won't Start
Symptoms: Scan action shows "Pending" for extended time.
Solutions:
- Verify device is online and active
- Check that Defender Antivirus is enabled (not in passive mode)
- Ensure no other scan is currently running
- Restart the Sense service on the device:
Restart-Service -Name Sense
Scan Fails
Symptoms: Action shows "Failed" in Action Center.
Solutions:
- Check device health status in portal
- Review Windows Event Logs on device:
- Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational
- Ensure sufficient disk space for scan operations
- Verify no third-party AV is conflicting
Slow Scan Performance
Symptoms: Full scans take excessively long.
Solutions:
- Configure scan exclusions for known-good large folders
- Set scan to low CPU priority
- Exclude files by type (e.g., database files, ISO images)
- Schedule scans during maintenance windows
Best Practices
When to Use Remote Scans
- Alert follow-up: Scan after investigating an alert
- User-reported issues: When user reports suspicious activity
- Routine verification: Periodic checks on critical systems
- Post-remediation: Confirm threats were removed
Scan Optimization Tips
- Use quick scans routinely: Full scans are resource-intensive
- Configure exclusions: Exclude known-safe, frequently-scanned locations
- Schedule off-hours: Run full scans during nights or weekends
- Monitor completion: Ensure scans finish successfully
- Review results: Check scan logs for detected and remediated threats
Exclusion Recommendations
Common exclusions to improve scan performance:
| Path | Reason |
|---|---|
C:\Windows\SoftwareDistribution | Windows Update files |
| Database file paths (.mdf, .ldf) | Large, frequently accessed |
| Virtual machine files (.vhdx) | Large, managed separately |
| Backup folders | Large, already scanned at source |
Warning: Only exclude paths you trust. Never exclude user-writable folders like Downloads or Temp.
Next Steps
After mastering remote scans:
- Investigate security incidents using scan results
- Configure Attack Surface Reduction rules for prevention
- Set up automated remediation for detected threats
- Configure cloud-delivered protection for real-time threat updates
Need comprehensive endpoint protection management? Inventive HQ provides 24/7 managed detection and response services for Microsoft Defender for Endpoint. Contact us to learn more.