Configure scheduled scans in Microsoft Defender

  • Scheduled quick scan is the recommended option and is complemented by real-time protection and cloud intelligence.
  • Manage scheduling, CPU, and randomization with GPO, Intune, or Configuration Manager to minimize impact on users.
  • Expand or narrow the scope (email, network, drives, compressed files) according to your needs and security policies.
  • Automate and react with PowerShell, WMI, and the Defender Portal for on-demand scanning and rapid remediation.
Lorena Figueredo

14 minutes

Microsoft Defender scheduling

Schedule scans in Microsoft Defender It's one of those maintenance tasks that saves you time and effort: you define what's being analyzed, when, and with what intensity, and the device does the rest without disturbing you. With the right configuration, the scans fit into your schedule, take advantage of downtime, and combine with real-time protection to strengthen security without compromising performance.

In this guide, you'll find all the ways to configure scheduled and on-demand scans: Task Scheduler, Group Policy (GPO), Microsoft Intune, Configuration Manager, PowerShell, WMI, the Microsoft Defender portal, and even the command-line utility. We also review the scope of the analyses (mail, network files, mapped drives, compressed files), default values, recommendations, and optimizations applied by the engine itself.

Types of scans available in Microsoft Defender

Microsoft Defender Antivirus offers three scan modes: fast, complete and personalized, each with its own purpose and cost in time and resources. Choosing which one to schedule wisely is key to balancing security and performance on your devices.

Quick scan (recommended): inspects common malware launch and persistence locations (known registry keys and startup folders), as well as mounted removable devices such as USB drives. Combined with real-time protection, it provides robust coverage against system-boot threats and kernel-level malware.

Helpful New Feature: With platform update 4.18.2311.xx (December 2023), the “Quick scan includes exclusions” option is available, allowing you to quickly scan files and folders excluded from real-time protection using contextual exclusions. While in preview, Its management is available in Intune (Configuration Catalog).

Complete analisis: It begins with a quick scan and then checks all mounted fixed disks and, if configured, removable or network drives. This can take hours or days depending on the volume and type of data. It uses the definitions available at startup; if updates are made mid-scan, a full scan would be required to cover the new signatures. Due to resource consumption, scheduling this scan periodically is not generally recommended.

Custom analysis: It allows you to select specific locations (for example, a USB drive or a specific folder) and runs limited to that selection. It's ideal for checking portable media or specific risk areas without going through a complete scan.

How to choose the type of analysis

For regular, scheduled scans, Quick is the preferred option: it checks processes, memory, profiles, and critical locations, and along with real-time protection provides very balanced coverage.

If threats are detected on a specific computer, also start with a quick: In most cases, it will detect and clean the identified malware without the need for a full scan.

When you want to check a removable media or a specific folder, choose a custom: reduces times by focusing only on the suspicious route.

After installing or reactivating Microsoft Defender Antivirus, run a quick (or a full if you prefer thoroughness): remember that a full will take longer and consume more resources.

Key points before programming

There are two types of native scheduled scans: daily (quick only) and weekly (quick or full). Adjust the frequency to your environment, but reserve full scans for specific scenarios.

Update before scheduled time: By default, Defender checks for protection updates 15 minutes before a scheduled scan. You can manage when to download and apply updates if you want to modify this behavior.

Laptops and battery: If during a scheduled full scan a device loses power and switches to battery power, the scan stops (event 1002) and will resume at the next scheduled time.

Time zone- Scheduled scans are governed by the device's local time zone. In dispersed environments, plan with this variable in mind.

Real-time protection + fast: Although malicious files may be hidden beyond the reach of the scanner, real-time monitoring scans files upon opening/closing and when browsing folders, so the combination maintains high protection.

Cloud Access Protection: ensures that accessed files are checked against the latest Microsoft cloud intelligence and machine learning models.

Automatic correction: If real-time protection detects malware and the extension of the affected files cannot be determined at startup, Defender launches a full scan during the remediation process.

Teams with long periods of disconnection: when a device has been offline for a long time, a complete one can be prolonged by the volume of accumulated changes.

Include exclusions in rapids: You can enable Quick Scan to review exclusions from real-time protection from PowerShell, Intune, or GPO if you need more coverage during periodic scans.

Schedule scans from Task Scheduler (Windows)

If you prefer fine-grained control without relying on policies, Windows Task Scheduler lets you define triggers for Defender scans. It's simple, effective, and available on every Windows computer.

  1. Open Task Scheduler: In the search box on the taskbar, type “Task Scheduler” and open the application.
  2. Navigate to Defender: In the left pane, expand Task Scheduler Library > Microsoft > Windows and select the Windows Defender folder.
  3. Choose the task: In the center pane, double-click “Windows Defender Scheduled Scan.”
  4. Edit the trigger: In Scheduled Scan Properties (Local Computer), open the Triggers tab and click “New.”
  5. Define the frequency and start: Choose frequency, time and conditions (for example, only if the device is inactive) and confirm.

Tip: Take advantage of priority settings or idle conditions so that the scan does not interfere with the user's work, especially in complete situations.

Configure scans with Group Policy (GPO)

Microsoft Defender

GPOs are the standard way in managed Windows environments to centrally configure scan parameters. They allow you to set scan types, randomization windows, CPU usage, schedules, and behavior after updates.

  1. Open the Group Policy Management Console in your management team.
  2. Edit the GPO that you want to configure.
  3. Go to: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus and, for scheduling, Microsoft Defender Antivirus > Scan.
  4. Configure each setting according to your needs and click OK.
  5. Link and deploy the GPO as you normally do.

Daily (quick): You can specify the interval in hours to run quick runs (0 = never) and the time of day in minutes past midnight (default 120 = 2:00).

Weekly (fast or full): Choose the scan type, day of the week (or never), and time of day in minutes past midnight. Useful for a quick weekly boost or a full scan scheduled during maintenance windows.

Task randomizationDefender can randomize startup times between 0 and 23 hours; by default, tasks start randomly within a 4-hour window from the Scheduler's fixed time. You can also set the randomization window between 1 and 23 hours; if disabled or not configured, the randomization is 0–4 hours.

CPU Usage in Scan: “Specify the maximum percentage of CPU usage during a scan” allows you to set a maximum between 5 and 100 (0 = no limit). The default value is 50. It's not a hard limit, but a guide; manual analyses do not respect this limit.

When the device is not in use: With "Start scheduled scan only when the computer is on but not in use," you can prevent the scan from starting while the user is working. This is enabled by default.

Remediation: Schedule a full scan to complete fixes on a specific day and time (never by default and 120 minutes past midnight if enabled).

After protection updates: “Enable scanning after Security Intelligence update” triggers an immediate process scan after downloading new signatures (enabled by default).

Configure analytics and settings with Microsoft Intune

Intune lets you manage antivirus policies and run remote scans in Windows 10 and 11. You can use Endpoint Security (Antivirus) or Device Restriction policies to adjust scheduling and scope.

To configure exam and scheduling options: See “Device restriction options in Intune” and “Antivirus device restriction settings for Windows 10 in Intune” for Defender-specific settings that you can apply to groups of devices.

To run a scan from Endpoint Security: In the Intune admin center, go to Endpoint Security > Antivirus, and on the Windows 10/11 tab, choose Quick scan (recommended) or Full scan as the action for the selected devices.

For a single device: In Intune, go to Devices > All Devices, open the device, and under “… More,” run a Quick Scan or a Full Scan.

Governing Council: Consider enabling “Quick scan includes exclusions” from the Configuration Catalog if you want scheduled quick scans to review items normally excluded from real-time protection.

Configure options with Microsoft Configuration Manager

Using Configuration Manager (current branch), create and deploy anti-malware policies to standardize scan settings across device collections. In the scan settings section, you can adjust scan type (quick/full), schedules, update behavior, and CPU usage.

Good practices: apply differentiated profiles by role or criticality (for example, servers vs. desktops), reserve complete profiles for maintenance windows and validates impact with a gradual rollout before becoming widespread.

PowerShell, WMI, and Command Line: Granular Control

PowerShell and WMI give you immediate control to query and set preferences, as well as launch on-demand scans. They're essential for automation, scripting, and rapid response.

Run analysis: uses Start-MpScan to start a quick or full based on parameters. To have a quick include contextual exclusions, you can set Set-MpPreference -QuickScanIncludeExclusions 1.

Set Key Preferences (Set-MpPreference / MSFT_MpPreference): Available settings include:

  • E-mail: -DisableEmailScanning Controls the scanning of mail files. Default: Disabled.
  • Compressed files: -DisableArchiveScanning to include/exclude .zip, .rar, etc. Default: Enabled. The extension exclusion list takes priority.
  • Network files: -DisableScanningNetworkFiles determines whether they are scanned. Default: disabled.
  • Mapped network drives (in full): -DisableScanningMappedNetworkDrivesForFullScan. Default: disabled.
  • Removable drives: -DisableRemovableDriveScanning to scan only in full. Default: disabled.
  • Average CPU load: -ScanAvgCPULoadFactor (guide, not hard limit). Default: 50. Manual scans do not apply this limitation.
  • CPU limitation for scheduled: -ThrottleForScheduledScanOnly.

Additional settings: Script scanning is enabled by default (manageable by policy); reparse point scanning is listed as disabled with no available setting in the policy table; packaged executable scanning is listed as enabled but has been removed from several recent Windows 11 ADMX templates, so its GPO control may not be available.

WMI: use the method Start of the class MSFT_MpScan to initiate scans from WMI scripts. Review the Windows Defender WMIv2 API for allowed parameters and return statuses.

Command line (mpcmdrun.exe): You can start exams with parameters like mpcmdrun.exe -scan -scantype 1. See the tool's help for other types (e.g., full) and for defining specific paths.

Run remote scans from the Microsoft Defender portal

For a managed device, the Microsoft Defender portal allows you to launch quick or full scans without touching the device. This is useful in responding to alerts or for spot checks.

  1. Accede to https://security.microsoft.com e inicia sesión.
  2. Open the device page objective.
  3. Choose the ellipsis (…) and choose Run antivirus scan.
  4. Brand Quick test (recommended) or complete exam, add a comment and confirm.

To check the status: in Actions & Submissions > Action Center > History, filter by “Start antivirus scan” and check the “Completed” status.

Scope of scans: mail, network, drives, and files

In addition to scheduling, define what to scan to balance efficiency and cost: email, network files, mapped and removable drives, compressed files, and more.

E-mail: Defender can analyze DBX, MBX y MIME during on-demand and scheduled scans. The files PST Non-Unicode files (Outlook 2003 or earlier) are scanned, but threats within the PST cannot be remediated. If a threat is detected in an email, you'll see the subject and attachment name to identify the message you want to clean manually.

Mapped network drives: On any OS, only those assigned at the system level are examined (not those mapped by the user in their session with their credentials).

Network files: By default, file scanning on network resources is disabled; only enable it if it adds value to your environment and monitors its impact.

Compressed files (.zip, .rar, etc.): Scanning is enabled by default. Keep in mind that the extension exclusion list overrides this setting. You can also limit the depth of subfolders in archive files and set the maximum size (in KB) to scan; a value of 0 applies no limit.

Reanalysis points: The “Enable Reparse Point Scanning” policy appears disabled with no available parameter; review the “Reparse Points” notes if you require specific behavior.

Removable drives: The “scan only on full disks” option is disabled by default; adjust this preference according to your USB policy.

Performance optimization for scheduled quick scans

Microsoft Defender

To reduce load, Defender may skip certain scheduled rapids if a “qualified rapid” has run within the last seven days. This optimization applies only to scheduled-initiated rapids (not those launched on demand). does not affect real-time protection.

Compatibility: Available from Windows 10 1607 (Anniversary Update) and later, and on Windows Server 2016/Later. Does not apply to Server Core installations.

Specific conditions of “qualified rapid” and exceptionsMicrosoft documents additional criteria and situations where this optimization doesn't apply; review these if you need to ensure execution regardless of recent activity.

Policy Values and Locations: A Practical Summary

For consistent management, here are some default values and their associated locations/properties for Defender Antivirus:

  • Mail Exam (Scan > Enable Email Scanning): Disabled by default; PowerShell: -DisableEmailScanning.
  • Script Exam: : Enabled by default; manageable by policy (AllowScriptScanning).
  • Reanalysis points: Default disabled; no parameter available.
  • Mapped network drives (full): -DisableScanningMappedNetworkDrivesForFullScan. Default disabled.
  • Archive files: -DisableArchiveScanning (extension exclusions take precedence). Default enabled.
  • Network files: -DisableScanningNetworkFiles. Default disabled.
  • Packaged executables: : Default enabled; no parameter, removed from several recent Windows 11 ADMX templates.
  • Removable drives (complete only): : Default disabled; -DisableRemovableDriveScanning.
  • Depth in archive files: default value 0; no parameter.
  • CPU usage during analysis: Default 50; -ScanAvgCPULoadFactor (guide, not hard limit; manuals omit it).
  • Maximum file size of archive: no limit by default (0 = no limit); no parameter.
  • Low CPU priority in scheduled: Default disabled; no parameter.
  • CPU limitation only in scheduled: -ThrottleForScheduledScanOnly.
  • Scan excluded quickly: Default disabled; available via policies and QuickScanIncludeExclusions.

Running local scans: Windows Security app

On individual computers, the Windows Security app lets you launch a Quick, Full, or Custom app in seconds. It is the most direct option for the end user and useful for specific validations.

Remember: Manual scans may ignore CPU limits, so schedule them outside of peak hours if there are large volumes of data.

Scope and platforms

The described options apply to Windows 10/11 and Windows Server devices supported by Microsoft Defender Antivirus, with occasional variations depending on the version (for example, ADMX templates or optimization availability).

More resources and diagnosis

To investigate performance or scanning issues, refer to the Microsoft Defender Antivirus Performance Analyzer and configuration troubleshooting guide. Also review the PowerShell-specific functions and cmdlets available to confirm current preferences and scan results.

When using policies (GPO/Intune/ConfigMgr), always validate on a pilot group before extending to the rest of the environment, and monitors Defender log events (for example, 1002 when a battery-powered vehicle stops) to adjust windows and conditions. With a sensible combination of scheduling, scope, and automation, Defender fits naturally into your teams' daily routines, keeping protection up to date with cloud intelligence, and minimizing impact through randomization, CPU throttling, and running during idle periods.