Windows Defender Offline Scan is a malware-scanning mode in Microsoft Defender that restarts the device and runs outside the normal Windows session. Because it operates before the full desktop loads, it can inspect files and system areas that some threats hide from during regular operation. This makes it useful against rootkits, boot-level malware, and infections that try to interfere with security tools while Windows is running.
In cyber security, this offline mode matters because reboot-based maintenance creates a pre-OS trust boundary. Defenders use it as a recovery and cleanup tool, but attackers may try to abuse or disrupt that same path if they can influence boot settings, recovery media, or related repair environments. For that reason, unexpected offline-scan activity can be a useful signal in incident response, and it is often paired with strong boot protections, device integrity checks, and careful control of recovery access.



