Microsoft Defender Offline Scan Not Working: No Restart or No Results

Brendan Smith
Brendan Smith - Cybersecurity Analyst
14 Min Read
A Windows PC caught in a restart loop while Microsoft Defender Offline fails to enter its scan environment.
An offline scan can return directly to Windows when Defender or the recovery environment is not ready.

When Microsoft Defender Offline Scan does nothing, restarts the PC straight back into Windows, or leaves no visible result, the usual problem is the scan environment rather than proof of malware interference. Defender must be the active primary antivirus, the request must come from a local administrator, and Windows Recovery Environment (WinRE) must be enabled. Save your work, prepare BitLocker safely, check WinRE with reagentc /info, update Windows and Defender, and then retry with Start-MpWDOScan. Do not disable Defender, delete Protection History, or change boot records to force the scan.

Use the exact symptom to choose the next check. A button that closes without a restart, a normal restart without the offline screen, and a completed-looking scan with no detection card are three different states.

Match the symptom before changing anything

What happens What to check next
Scan now closes or does nothing Confirm you approved the administrator prompt, save all open work, restart Windows once, and verify that Microsoft Defender is the primary antivirus.
The PC restarts normally without showing the offline scanner Check WinRE with reagentc /info. Microsoft documents that an offline scan can fail silently when WinRE is disabled.
The offline screen appears briefly, exits, or produces a blue-screen error Install Windows and Defender updates, retry once, and stop if the same crash repeats. Repeated boot-environment errors need Windows recovery or Microsoft/OEM support, not random BCD commands.
The scan appeared to run, but Protection History shows nothing new Check whether the offline screen actually appeared and review Defender’s Operational event log. No new threat card may simply mean no detection, but an empty page alone does not prove the scan ran.
Microsoft Defender Offline is missing from Scan options Check the device architecture, active antivirus, organization policy, and whether the whole Virus & threat protection page is unavailable.

Prepare Windows safely before retrying

  1. Save your work and close running programs. A successful offline scan signs you out and restarts the PC.
  2. Confirm that Defender is active. A compatible third-party antivirus normally puts Microsoft Defender Antivirus into passive mode. Use the active security product’s supported scan or rescue workflow instead of removing protection just to expose one Defender option.
  3. Use a local administrator account. A standard user can view parts of Windows Security, but the offline-scan request requires elevation.
  4. Prepare BitLocker or Device Encryption. Make sure the recovery key is available. Microsoft recommends suspending BitLocker protection before the offline scan so the restart does not unexpectedly request the recovery key. Suspend protection through Windows; do not decrypt the drive.
  5. Check the platform. Microsoft’s current integrated Offline Scan requirements exclude Windows on ARM and Windows Server. Do not try to work around that boundary with unsupported boot changes.

If Windows Security identifies another antivirus as the current provider, decide which product is supposed to protect the PC before continuing. Two partially active security products can make the status confusing. If you intentionally return to Defender, remove the other product through its official uninstall process, restart, and confirm that real-time protection is active before attempting an offline scan.

Check Windows Recovery Environment

Microsoft Defender Offline runs outside the normal Windows session in WinRE. Open Terminal (Admin) or Command Prompt (Admin) and run:

reagentc /info

Find the line named Windows RE status. If it says Enabled, do not disable it merely to toggle the setting. Move to the Defender update and PowerShell checks below.

If it says Disabled, run:

reagentc /enable

Run reagentc /info again and confirm that the status changed to Enabled. Then restart Windows normally before retrying the offline scan. Microsoft states that when WinRE is disabled, Defender Offline may not run and may show no error at all.[1]

If reagentc /enable fails, the Windows RE location is blank, or the recovery image cannot be found, stop there. Do not copy an unknown winre.wim, assign recovery partitions blindly, or paste a BCD repair sequence from a forum. That is a Windows recovery configuration problem. Back up important files and use Microsoft or the PC manufacturer’s recovery guidance.

Update Defender and trigger the supported retry

Open Windows Update, install available quality and security updates, and restart. Then open Windows Security > Virus & threat protection > Protection updates and check for updates. The offline environment uses the Defender platform, engine, and current security intelligence available on the PC.

Try the normal interface once more: Virus & threat protection > Scan options > Microsoft Defender Antivirus (offline scan) > Scan now. If the interface still fails but Defender is active and WinRE is enabled, open PowerShell as administrator and run:

Start-MpWDOScan

This is Microsoft’s supported PowerShell trigger. It should schedule the scan and restart the PC. It is not a command to run repeatedly: if the same normal-restart behavior continues, collect the evidence below instead of queuing more restarts.

How to tell whether the offline scan was scheduled

Open Event Viewer and go to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational. Look around the time you selected Scan now.

On current Windows versions, Event ID 2030 says that Microsoft Defender Antivirus downloaded and configured the offline scan to run on the next reboot. That event is useful, but interpret it precisely: it confirms the request was prepared; it does not prove that the PC successfully entered WinRE or completed the scan.[1]

A normal run signs you out, enters a different-looking Microsoft Defender Antivirus offline screen, scans for roughly 15 minutes, and restarts into Windows. The duration varies, so do not treat an exact minute count as a pass/fail test. If Event ID 2030 is present but Windows immediately returns to the desktop without the offline screen, the handoff to the recovery environment is still the failing step.

Where to find the result

After Windows starts, open Windows Security > Virus & threat protection > Protection history. Microsoft uses Protection History to show Defender actions, detected malware, potentially unwanted apps, and security-service warnings.[2]

If a threat was detected, record its exact name, affected path, action, and time before clearing anything. Use the Microsoft Defender detection and remediation-status guide to distinguish quarantined, removed, remediation incomplete, and failed actions.

If there is no new threat card, that can mean the scan found nothing. It does not, by itself, prove that the offline scan ran, nor does one clean scan prove that no account or browser data was exposed before cleanup. Confirm that you saw the offline environment and compare the event timestamp with the attempted run. If Protection History itself is blank, stuck, or inaccessible, preserve available evidence before repairing the app.

If Windows Security or Scan options are broken

When Virus & threat protection is missing, says it is managed by an administrator on a personal PC, or the threat service will not start, troubleshoot that owner page first. The Virus & threat protection page repair guide covers third-party antivirus registration, services, policy, and Windows Security repair without duplicating those risky steps here.

If multiple Windows components are malfunctioning, Microsoft’s supported repair order is DISM followed by System File Checker:[3]

DISM.exe /Online /Cleanup-image /Restorehealth
sfc /scannow

Let each command finish. Repairing system files is appropriate for a broken Windows component; it is not a substitute for scanning a suspicious download or removing persistence.

Choose a safe fallback if Offline Scan still will not run

If you still suspect malware

An Offline Scan failure alone is not evidence that malware disabled it. Escalate when the same detection returns after reboot, a suspicious file already ran, security settings keep changing, scanners close unexpectedly, or unknown tasks and startup items reappear. In those cases, the visible file may be only one component. A loader, scheduled task, service, browser extension, or bundled app can survive the first action and recreate the symptom.

After completing the supported Microsoft checks, run Gridinsoft Anti-Malware to look for detections, hidden files, scheduled tasks, startup entries, bundled apps, and browser changes. A second scan can find persistence; it cannot prove that no data was exposed or replace password changes after a stealer incident.

Check for malware that survives a normal scan

Defender can quarantine the visible file, but repeated alerts may mean a loader, scheduled task, service, browser change, or bundled component is recreating it. Scan the PC before trusting the cleanup.

Scan for persistent threats

What not to do

  • Do not disable real-time protection or add broad exclusions to make the scan start.
  • Do not delete Protection History before recording a detection name, path, action, and timestamp.
  • Do not repeatedly disable and re-enable WinRE when it already reports Enabled.
  • Do not edit BCD, recovery partitions, or registry policies from an unverified forum command list.
  • Do not interpret Event ID 2030 as proof that the scan completed.
  • Do not treat one clean result as proof that a file never ran or an account was never exposed.

FAQ

Why does Defender Offline restart the PC but not scan?

The most common supported checks are whether Defender is the primary antivirus, the request was elevated by a local administrator, and WinRE is enabled. If Event ID 2030 exists but the offline screen never appears, the request was scheduled but the recovery-environment handoff failed.

How long should Microsoft Defender Offline take?

Microsoft says the scan takes about 15 minutes, followed by another restart. Hardware and the scan environment can change the timing. The important signs are that the distinct offline screen appears and Windows restarts after the scan.

Does an empty Protection History mean the scan found nothing?

It may mean no threat was detected, but an empty page does not prove the scan ran. Confirm that the offline environment appeared and review the Defender Operational log around the attempt.

Can BitLocker prevent the offline scan?

BitLocker can prompt for the recovery key when Windows enters the offline environment. Keep the recovery key available and use Windows’ normal Suspend protection option before the scan. Do not decrypt the drive.

Can I run Defender Offline while another antivirus is active?

Microsoft requires Defender Antivirus to be the primary antivirus, not passive. If another product is active, use its supported scan workflow or intentionally return to Defender through the vendor’s official uninstall process. Do not leave the PC unprotected just to expose this option.

References

  1. Microsoft. “Run and review the results of a Microsoft Defender Offline scan.” Microsoft Learn, accessed July 17, 2026. learn.microsoft.com.
  2. Microsoft. “Protection History in the Windows Security App.” Microsoft Support, accessed July 17, 2026. support.microsoft.com.
  3. Microsoft. “Use the System File Checker tool to repair missing or corrupted system files.” Microsoft Support, accessed July 17, 2026. support.microsoft.com.
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?