How to Get the Last Windows Defender Scan Date in Batch Script

Maintaining a consistent scanning schedule is a cornerstone of system security. For IT administrators and security managers, being able to quickly verify when a machine was last audited for threats is an essential compliance task. If a computer hasn't been scanned in several weeks, it represents a significant security gap. While this information is buried in the "Windows Security" GUI, a Batch script can pull the exact timestamp of the last Quick or Full scan programmatically.

This guide explains how to use PowerShell via Batch to audit your scan history.

Why Audit the Last Scan Date?

Security Compliance: Ensuring that all workstations in a network have completed a full system audit within the last 7 days.
Health Monitoring: Identifying "Stale" machines that might have their scheduled scans disabled or failing.
Maintenance Reporting: Generating a "Security Signature" report that includes the date of the last deep-cleaning operation.

No Native CMD Tool

The standard MpCmdRun.exe tool does not have a "Last Scan Date" flag. However, the Microsoft Defender engine stores these details in its configuration objects, which we can easily query using PowerShell.

Method 1: Getting the Quick Scan Timestamp (Fastest)

Quick scans happen most frequently. You can pull the completion time directly from the MpComputerStatus object.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

echo [PROCESS] Retrieving last Quick Scan completion time...
echo.

powershell -NoProfile -Command ^
    "$status = Get-MpComputerStatus;" ^
    "$qTime = $status.QuickScanEndTime;" ^
    "if ($qTime -and $qTime.Year -gt 1) {" ^
    "  Write-Host ('Last Quick Scan: ' + $qTime.ToString('yyyy-MM-dd HH:mm:ss'))" ^
    "} else {" ^
    "  Write-Host 'Last Quick Scan: Never completed'" ^
    "}"

pause

Method 2: Getting the Full Scan Timestamp

Full scans are more comprehensive. Querying this timestamp tells you the last time the machine's entire disk was verified.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

echo [PROCESS] Retrieving last Full Scan completion time...
echo.

powershell -NoProfile -Command ^
    "$status = Get-MpComputerStatus;" ^
    "$fTime = $status.FullScanEndTime;" ^
    "if ($fTime -and $fTime.Year -gt 1) {" ^
    "  Write-Host ('Last Full Scan: ' + $fTime.ToString('yyyy-MM-dd HH:mm:ss'))" ^
    "} else {" ^
    "  Write-Host 'Last Full Scan: Never completed'" ^
    "}"

pause

Creating a Security Audit Readiness Script

A professional script will compare these dates against a compliance threshold and give the user a clear "Pass / Fail" status.

@echo off
setlocal

echo ============================================================
echo   Microsoft Defender Scan Auditor
echo ============================================================

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

:: Define compliance threshold (days)
set "MAX_DAYS=14"

:: Pull all scan data in a single PowerShell call
echo.
powershell -NoProfile -Command ^
    "$status = Get-MpComputerStatus;" ^
    "$now = Get-Date;" ^
    "$qTime = $status.QuickScanEndTime;" ^
    "if ($qTime -and $qTime.Year -gt 1) {" ^
    "  $qDays = [math]::Round(($now - $qTime).TotalDays, 1);" ^
    "  Write-Host ('Last Quick Scan: ' + $qTime.ToString('yyyy-MM-dd HH:mm:ss') + ' (' + $qDays + ' days ago)');" ^
    "  if ($qDays -gt %MAX_DAYS%) { Write-Host '  [FAIL] Exceeds %MAX_DAYS%-day policy.' -ForegroundColor Red }" ^
    "  else { Write-Host '  [PASS] Within compliance window.' -ForegroundColor Green }" ^
    "} else {" ^
    "  Write-Host 'Last Quick Scan: Never completed';" ^
    "  Write-Host '  [FAIL] No quick scan on record.' -ForegroundColor Red" ^
    "};" ^
    "$fTime = $status.FullScanEndTime;" ^
    "if ($fTime -and $fTime.Year -gt 1) {" ^
    "  $fDays = [math]::Round(($now - $fTime).TotalDays, 1);" ^
    "  Write-Host ('Last Full Scan:  ' + $fTime.ToString('yyyy-MM-dd HH:mm:ss') + ' (' + $fDays + ' days ago)');" ^
    "  if ($fDays -gt %MAX_DAYS%) { Write-Host '  [FAIL] Exceeds %MAX_DAYS%-day policy.' -ForegroundColor Red }" ^
    "  else { Write-Host '  [PASS] Within compliance window.' -ForegroundColor Green }" ^
    "} else {" ^
    "  Write-Host 'Last Full Scan:  Never completed';" ^
    "  Write-Host '  [FAIL] No full scan on record.' -ForegroundColor Red" ^
    "};" ^
    "$sigTime = $status.AntivirusSignatureLastUpdated;" ^
    "if ($sigTime) {" ^
    "  $sigDays = [math]::Round(($now - $sigTime).TotalDays, 1);" ^
    "  Write-Host ('Definitions:     ' + $sigTime.ToString('yyyy-MM-dd HH:mm:ss') + ' (' + $sigDays + ' days ago)')" ^
    "}"

echo.
echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

Querying detailed security health status via Get-MpComputerStatus requires Administrator privileges in many hardened or enterprise environments.

Wrong Way:

:: Running as a standard user
powershell -Command "(Get-MpComputerStatus)..."
:: Result: Access Denied or a blank string.

Interpretation of Empty Dates

If the command returns a blank line or a date with year 0001, it means no scan of that type has ever been successfully completed since the OS was installed.

SEO and UX Tip

Advise your users that a "Never completed" date for a Full Scan is a major security red flag. It indicates that the machine's files have never been fully verified, and they should schedule a scan immediately.

Best Practices for Security Auditing

Check Definition Dates: Alongside the scan date, also check when the virus definitions were last updated: (Get-MpComputerStatus).AntivirusSignatureLastUpdated.
Verify Threat Status: A scan date is only useful if no threats were found. Check (Get-MpComputerStatus).AntivirusDetectionState to see the overall engine health.
Automated Logging: Append these timestamps to a CSV file shared on your network to create a master dashboard of all machine scan statuses.

Third-Party AVs

If a computer has a third-party antivirus installed (like Avast or ESET), Windows Defender typically enters "Passive Mode" or is disabled. In this state, these commands will likely return no data or an error.

Conclusion

Querying the last Windows Defender scan date via Batch script is a fundamental diagnostic task for maintaining the integrity of your Windows ecosystem. By programmatically revealing the timestamps of Quick and Full system audits, you can identify security gaps and ensure that every machine in your care is providing maximum protection. This professional approach to system monitoring transforms "Hidden" status data into a clear, actionable audit trail, ensuring that your security perimeter remains verified and your machines stay healthy across the entire organization.

Why Audit the Last Scan Date?​

Method 1: Getting the Quick Scan Timestamp (Fastest)​

Method 2: Getting the Full Scan Timestamp​

Creating a Security Audit Readiness Script​

Common Pitfalls and How to Avoid Them​

Administrative Rights​

Interpretation of Empty Dates​

Best Practices for Security Auditing​

Conclusion​

Table of Contents