Initiate Microsoft Defender Antivirus scan on a machine.

Microsoft WindowsDefenderATP permissions to access the action via application: Machine.Scan.

External Documentation

To learn more, visit the Microsoft Defender For Endpoints documentation.

Parameters

ParameterDescription
CommentA comment to associate with the action.
Machine IDThe ID of the machine to initiate a scan for. Can be obtained using the List Machines action.
Scan TypeSelect the type of the scan.

Example Output

{
	"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
	"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
	"type": "RunAntiVirusScan",
	"title": null,
	"requestor": "user@example.com",
	"requestorComment": "Routine security scan following suspicious network activity",
	"status": "InProgress",
	"machineId": "cd9f8e7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e",
	"computerDnsName": "workstation-42.corporate.local",
	"creationDateTimeUtc": "2025-06-29T14:16:05.9855884Z",
	"lastUpdateDateTimeUtc": "2025-06-29T14:16:05.9855888Z",
	"cancellationRequestor": null,
	"cancellationComment": null,
	"cancellationDateTimeUtc": null,
	"errorHResult": 0,
	"scope": null,
	"externalId": null,
	"requestSource": "Portal",
	"relatedFileInfo": null,
	"commands": [],
	"troubleshootInfo": null
}

Workflow Library Example

Run Antivirus Scan with Microsoft Defender for Endpoints and Send Results Via Email

Preview this Workflow on desktop