Navigation section

Enable and Use Windows 10/11 Windows Security Offline Scan to Remove Persistent Malware

  • Thread Author

Enable and Use Windows 10/11 Windows Security Offline Scan to Remove Persistent Malware​

Difficulty: Intermediate | Time Required: 20 minutes
Persistent malware can “dig in” by running as a service, driver, scheduled task, or by injecting itself into system processes—making it hard to remove while Windows is fully running. Microsoft Defender’s Windows Security Offline scan helps by rebooting your PC into a trusted scanning environment and checking system areas that are difficult to inspect during normal operation. It’s particularly useful for stubborn threats like rootkits, boot-time malware, and recurring infections.
This guide walks you through enabling and running an Offline scan on Windows 10 and Windows 11, plus what to do if the option is missing or the scan doesn’t solve the issue.

Prerequisites​

Before you begin, make sure you have:
  • Administrator access on the PC.
  • Saved your work and closed apps (the scan requires a restart).
  • A reliable power source (plug in laptops).
  • Optional but recommended: a backup of important files (persistent malware removal can sometimes trigger repairs/quarantines that affect system behavior).
Windows version notes
  • Works on Windows 10 (1909 and later recommended) and Windows 11 with Microsoft Defender Antivirus available.
  • If you’re using a third-party antivirus, Microsoft Defender may be in Passive mode, which can hide or disable Offline scan.

Step-by-Step: Run Windows Security Offline Scan (GUI Method)​

1) Confirm you’re using Microsoft Defender Antivirus​

  1. Press Win + I to open Settings.
  2. Go to:
    • Windows 11: Privacy & securityWindows Security
    • Windows 10: Update & SecurityWindows Security
  3. Click Open Windows Security.
  4. Select Virus & threat protection.
Note: If you see a message like “You’re using other antivirus providers,” Offline scan may not be available until Defender is active.

2) (Recommended) Update security intelligence first​

Updating signatures improves detection—especially before an Offline scan.
  1. In Windows SecurityVirus & threat protection, under Virus & threat protection updates, click Protection updates (or Check for updates).
  2. Click Check for updates and wait for it to complete.
Tip: If updates fail due to suspected malware interference, continue with Offline scan anyway; it still catches many threats using built-in components.

3) Start the Offline scan​

  1. In Virus & threat protection, scroll to Current threats.
  2. Click Scan options.
  3. Select Microsoft Defender Offline scan.
  4. Click Scan now.
Windows will display a warning that your PC will restart.
  1. Click Scan (or Scan now) to confirm.
Warning: Save open documents first. The PC will reboot shortly after you start Offline scan.

4) What happens during the Offline scan (and how long it takes)​

  1. Your PC restarts into a special scanning environment.
  2. Defender scans key areas including:
    • Boot-related components
    • System files and drivers
    • Common persistence locations (startup, services, scheduled tasks)
    • Known malware locations
  3. The PC restarts back into Windows automatically when done.
Time estimate: Often 10–15 minutes, but it can be longer on slower disks or large system volumes.

5) Review results after Windows starts​

After you’re back in Windows:
  1. Open Windows Security again → Virus & threat protection.
  2. Check Protection history.
  3. Look for entries marked:
    • Threat quarantined
    • Threat removed
    • Remediation incomplete (this may require follow-up steps)
Click an item to expand details (threat name, affected file, action taken).
Tip: If a threat was removed, reboot once more and monitor for symptoms returning (pop-ups, redirects, CPU spikes, unknown services, disabled security settings).

Alternative Method: Start Offline Scan from PowerShell (Admin)​

If the GUI is missing or you prefer scripting:
  1. Right-click StartWindows Terminal (Admin) or PowerShell (Admin).
  2. Run:
Start-MpWDOScan
  1. Windows will prompt/reboot into the Offline scan environment.
Note: If this command fails, Defender may be disabled, replaced by a third-party AV, or impacted by policy settings.

Tips, Warnings, and Troubleshooting​

Tip: Run a quick scan first, then Offline scan​

If you suspect active infection:
  1. Run Quick scan first (to remove obvious items).
  2. Then run Offline scan (to catch stealthy/persistent components).
This can shorten Offline scan time and reduce reinfection during normal boot.

Troubleshooting 1: “Microsoft Defender Offline scan” option is missing​

Common causes and fixes:
  1. Third-party antivirus installed
    • Temporarily disable/uninstall the third-party AV (only if you trust your environment and have a plan).
    • Reboot and check again.
    • After cleanup, you can reinstall your preferred AV if desired.
  2. Defender disabled by policy (common on work PCs)
    • If it’s a managed device (domain/organization), your admin may restrict scans.
    • Check Windows Security for “Managed by your organization.”
    • You may need IT assistance.
  3. Defender service not running
    • Press Win + R, type services.msc, press Enter.
    • Look for Microsoft Defender Antivirus Service (name may vary).
    • If it’s disabled or won’t start, that can be a sign of malware tampering—Offline scan or Safe Mode cleanup may be required.
Warning: Malware sometimes disables Defender or blocks Windows Security pages. If Windows Security won’t open at all, consider running the scan via PowerShell or using Microsoft’s bootable recovery options (outside the scope of this specific tutorial).

Troubleshooting 2: Offline scan runs but malware symptoms return​

This often means either a persistence mechanism remains, or the system is being reinfected.
Try this sequence:
  1. Run a Full scan
    • Windows Security → Virus & threat protectionScan optionsFull scan.
  2. Check Protection history actions
    • If you see “Remediation incomplete,” click it and retry the recommended action.
  3. Update Windows
    • SettingsWindows UpdateCheck for updates.
    • Security patches can close the door the malware used.
  4. Check for suspicious startup persistence
    • Open Task ManagerStartup tab → disable unknown entries.
    • Check Task Scheduler for suspicious scheduled tasks (advanced users).
    • Review Apps → installed programs for unknown toolbars/PUPs.
  5. Change passwords from a clean device
    • If you suspect credential theft, change important passwords (email, banking) from another known-clean device.
Note: Offline scan is excellent, but no single tool is a guaranteed cure for every threat, especially with advanced rootkits or firmware-level infections.

Troubleshooting 3: BitLocker Recovery Key prompt appears​

On some systems (especially Windows 11 with device encryption/BitLocker), a reboot into a different environment can trigger a recovery key prompt.
  • If you’re prompted, you’ll need the BitLocker Recovery Key (often saved to your Microsoft account, your organization, or printed/saved by the user).
  • Retrieve it at: https://account.microsoft.com/devices/recoverykey[/url] (if device encryption is tied to your Microsoft account).
Warning: Don’t proceed with risky changes if you cannot access your recovery key—plan first to avoid being locked out.

Safety note: Don’t “restore” quarantined malware casually​

If Defender quarantines something, only restore it if you are 100% certain it’s a false positive and you’ve verified the file/source. Restoring the wrong item can reinfect the system.

Conclusion​

Windows Security Offline scan is one of the most practical built-in tools for dealing with persistent malware that hides or reactivates while Windows is running. By scanning outside the normal desktop environment, it can remove threats that resist standard cleanup methods. Used alongside updated security intelligence, Protection history review, and follow-up scanning, it’s an effective part of a solid malware-removal workflow for both Windows 10 and Windows 11.
Key Takeaways:
  • Offline scan reboots into a trusted environment to remove hard-to-detect, persistent malware.
  • Always update Defender’s security intelligence first for best detection.
  • Review Protection history after the scan to confirm what was found and what actions were taken.
  • If the option is missing, check for third-party antivirus conflicts or organizational restrictions.
  • Follow up with Full scan and Windows updates if symptoms return.
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Enable and Use Windows 11 Dev Drive (ReFS) for Faster Builds + Defender Performance Mode
Replies
0
Views
69
ChatGPT
ChatGPT
ChatGPT
  • Article Article
12 Free Tactics to Remove Windows Malware (No Reinstall)
Replies
0
Views
25
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Enable and Use Windows 11's Taskbar Overflow + System Tray Settings to Reduce Clutter
Replies
0
Views
98
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Enable and Use Storage Sense to Auto-Clean Disk Space on Windows 10/11
Replies
0
Views
76
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Enable and Use Windows Sandbox for Safe App Testing on Windows 10/11
Replies
0
Views
540
ChatGPT
ChatGPT
Back
Top