Windows Defender Scheduled Scan

Goal​

I am trying to ensure that Windows Defender runs successfully at least once a day, reliably.

What's is already happening/Problems​

I noticed that in the Task Scheduler entry "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan," which is typically recommended for adding additional triggers, it already runs at least once a day without any added triggers.

The problems are:

• The task will trigger
• but most of the time will stop immediately with the "Last Run Result" of 0x2 in the scheduler. and the following such messages:

Event Viewer (event ID=1002)
Microsoft Defender Antivirus scan has been stopped before completion.
Scan ID: {5BCA72C4-99D2-4317-9D92-444BCD597274}
Scan Type: Antimalware
Scan Parameters: Quick Scan
User: NT AUTHORITY\SYSTEM

Scheduler History (event ID=102)
Task Scheduler successfully completed task "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" , instance "{5161b45f-6b11-47e7-a8ee-7939f4fff919}" , action "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exe" with return code 2147942402.

• Some day, the task is run multiple times, but it still finishes with the above result
• Usually, after multiple days, the task will finish successfully with the following in the event viewer (ID=1001)

Microsoft Defender Antivirus scan has finished.
Scan ID: {7D7D87CA-5BF9-4733-9295-C1221CDB3BCB}
Scan Type: Antimalware
Scan Parameters: Quick Scan
User: NT AUTHORITY\SYSTEM
Scan Time: 0:02:43

The problem is, most of the time, the quick scan will succeed only once every few days, sometimes taking almost a week.

What I've already tried​

• According to this Microsoft Community post, changing the credential to the local Administrator account may help in some cases. But I tried this on the particular "Windows Defender Scheduled Scan", with no effect.
• Adding triggers at different times
• Making sure I lock the screen/do nothing (trying to be idle) when an added trigger (for experimentation) activates, with no effect.

Question​

Has anyone figured out how to have Windows Defender run a quick scan reliably at least once a day without having to do it manually? I don't mind if it runs during non-idle time, as long as I can schedule the task.

Hope these instructions help: Schedule a scan in Microsoft Defender Antivirus - Microsoft Support

Thanks for the reply. I am already doing that, but it runs unreliably.

I just end up creating another schedule job with the action:

"c:\Program Files\Windows Defender\MpCmdRun.exe" Scan -ScanType 1

which doesn't use whatever exit/non-scan algorithm that Microsoft's scheduled task is using. This works for my usecase.

Return code 2147942402 equates to "file not found". Something is corrupted or missing with the scheduled task.

You might want to try:

Ran the commands that you suggested, then triggered the entry manually. Same result: 2147942402.

[C:\]DISM /Online /Cleanup-Image /RestoreHealth

Deployment Image Servicing and Management tool
Version: 10.0.26100.1150

Image Version: 10.0.26100.3194

[==========================100.0%==========================] The restore operation completed successfully.
The operation completed successfully.

[C:\]sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

Click to expand...

The normal scheduled task runs "MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob".

1. From Task Manager, check if there are no other MpCmdRun.exe's running (or stuck in memory). Kill them if necessary.
2. Run the above command. Does it return in error?

My scan just finished with no errors. I suspect your's might complain about something.

Yes, it's failing.

Here's the console output:

[C:\]"c:\Program Files\Windows Defender\MpCmdRun.exe" Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob
Scan starting...
CmdTool: Failed with hr = 0x80508018. Check C:\Users\*\AppData\Local\Temp\MpCmdRun.log for more information

Click to expand...

Here's the relevant section from the MpCmdRun.log file:

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\Program Files\Windows Defender\MpCmdRun.exe" Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob
Start Time: ***

MpEnsureProcessMitigationPolicy(0x5): hr = 0x1
Starting RunCommandScan.
RunCommandScan is using default scan type: 1.
Scanning path as file: (null).
Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=278529, Timeout in days = 1)
MpScan() started
Warning: MpScan() was canceled!
MpScan() was completed
ERROR: MpScan(dwOptions=278529) Completion Failed 0x80508018
MpCmdRun.exe: hr = 0x80508018.
MpCmdRun: End Time: ***

Click to expand...

Here's a successful run from the differently created schedule mentioned before:

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\Program Files\Windows Defender\MpCmdRun.exe" Scan -ScanType 1
Start Time: ***

MpEnsureProcessMitigationPolicy(0x5): hr = 0x1
Starting RunCommandScan.
INFO: ScheduleJob is not set. Skipping signature update.
Scanning path as file: (null).
Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, Timeout in days = 1)
MpScan() started
Time Info - *** MpScan() was completed
Finish: MpScanStart(MP_FEATURE_SUPPORTED, dwOptions=16385)
Finish: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, Timeout in days = 1)
No immediate remediation is required for the found threat.MpScan() has detected 0 threats.
MpCmdRun: End Time: ***
-------------------------------------------------------------------------------------

Click to expand...

Can you check Windows Update history, and see if you've recently downloaded new signatures?

I'm gonna guess the scheduler forces a signature update, before running the scan. You can try forcing an update (after first confirming if WU refreshed the signatures).

The update history under "Definition Updates" is not matching what is shown in the "Protection Updates" screen in "Windows security -> Virus & Threat Protection". The info on the screen shows a later version:

Security intelligence version: 1.423.187.0
Version created on: 2025-03-02 05:35
Last update: 2025-03-02 11:20 (about 3 hours ago)

The one in history shows the version 1.423.187.0, installed yesterday with no time indication.

The only other thing I can think of is the scan job aborts because your PC is "too busy" with running processes, and Defender only wants to run when the idle threshold hits some magical number (Scan-Trigger 55).

garlin said:

My scan just finished with no errors. I suspect your's might complain about something.

Click to expand...

An extra question. If you run the same scan again now, does it run to completion?

Another manual run failed with a 0x80508018. It's a new W11 install from last night (done for testing), so it's not because I changed anything in Windows.

That's what I am afraid of. "Fail" (works as designed) randomly.

I tried putting in a bunch of triggers in the schedule to see if one of them would succeed; none has yet. I suspect that this would, at some point, probably on conditions like "There has been no successful scan for at least a day, the computer isn't busy, etc." People encountering this issue on Windows 10 haven't found clear explanations, but some seem to have "succeeded" by providing the local Administrator's credentials.

I think I'll forgo this magical schedule and settle on a more certain one.

Thank you very much for your help!