Docs
When Did Microsoft Defender Scan Last? Quick and Full Scan Visibility
Check the last quick scan and full scan times so small teams can confirm endpoint scan coverage without manual host-by-host review.
Question for Operators reviewing scan compliance and endpoint coverage
Scan timestamps are one of the fastest ways to prove coverage. Use this page to decide whether a device is following policy, drifted from policy, or simply has not checked in recently.
What You'll Get
- Use quick and full scan timestamps as coverage evidence
- Identify systems drifting from scan policy
- Prioritize remediation based on freshness and endpoint criticality
Jump To
Short Answer
Verify the last Defender scan by checking quick and full scan completion timestamps. For teams managing many endpoints, this is the fastest way to prove scan coverage and identify devices that drifted from policy. If you need to confirm Defender is actually installed and running before you read scan timestamps, use the Defender status guide first. For the wider operating model, use the endpoint posture monitoring guide.
Where to Check in Defender Reporter Dashboard
Open the Devices page and review Quick Scan End and Full Scan End for each endpoint. These timestamps show the last reported completion times and are rendered in local browser time for easier operations review.
Fast Local Validation Commands
If you need to confirm scan history on one endpoint, compare the dashboard values with PowerShell.
PS> Get-MpComputerStatus | Select-Object QuickScanEndTime, FullScanEndTime, LastFullScanSource, LastQuickScanSourceWindows Security protection history can also help validate whether the device has recent scan and threat activity.
How to Read Missing or Old Scan Times
Recent timestamps indicate scan activity is occurring. Older timestamps can indicate scan drift, powered-off endpoints, or policy execution problems. A dash usually means scan metadata has not been reported yet from that endpoint.
Follow-Up Workflow for Small Internal Teams
Sort devices by oldest scan timestamps, focus first on high-risk or high-value systems, and assign remediation owners. Use a weekly review cadence to keep scan compliance from becoming a silent backlog.
Set Practical Scan Freshness Targets
Define expected quick scan and full scan windows by endpoint type so your team can classify variance quickly. Without a baseline, teams often mislabel normal behavior as incidents or miss true compliance drift.
Differentiate Missed Scan vs Offline Endpoint
Combine scan timestamps with Last Seen and protection status. If scan is old but endpoint is actively checking in, treat it as policy execution failure. If both are old, handle as endpoint availability or connectivity issue first. If you also see stale signatures, cross-check with the Defender update-status guide.
Balance Coverage and Performance
If users report performance impact, tune scan schedules instead of disabling scans outright. A balanced schedule with explicit exceptions gives better long-term coverage than ad-hoc disablements.
Escalation Triggers
Escalate when critical systems miss full scans beyond policy threshold, or when large endpoint groups drift simultaneously. Pattern-based escalation helps lean teams focus on structural risk rather than isolated noise.