Merging WD new files (BAFS, WDO, Enhanced notification), updated main file, updated powershell cmdlets, defender images, TOC

.gitignore

@@ -6,7 +6,12 @@ _site/
 Tools/NuGet/
 .optemp/
 
+
 .openpublishing.build.mdproj
 .openpublishing.buildcore.ps1
 packages.config
 windows/keep-secure/index.md
+
+# User-specific files  
+.vs/
+

windows/keep-secure/TOC.md

@@ -709,7 +709,10 @@
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+#### [Windows Defender Offline in Windows 10](windows-defender-offline.md)
 #### [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
+#### [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
+#### [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
 #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 #### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)

windows/keep-secure/configure-windows-defender-in-windows-10.md

@@ -1,5 +1,5 @@
 ---
-title: Configure Windows Defender in Windows 10 (Windows 10)
+title: Configure and use Windows Defender in Windows 10
 description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
 ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
 ms.prod: w10
@@ -14,7 +14,9 @@ author: jasesso
 **Applies to**
 -   Windows 10
 
-IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+You can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
+
+You can also enable and configure the Microsoft Active Protection Service to ensure endpoints are protected by cloud-based protection technologies.
 
 ## Configure definition updates
 

windows/keep-secure/get-started-with-windows-defender-for-windows-10.md

@@ -183,7 +183,7 @@ In Endpoint Protection, you can use the advanced scanning options to configure a
 
 ## Related topics
 
-[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
  
  

windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md

@@ -23,7 +23,8 @@ For a list of the cmdlets and their functions and available parameters, see the
 
 PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. 
 
-> **Note:**  PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+> [!NOTE]
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
 
 PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
 
@@ -32,7 +33,8 @@ PowerShell is typically installed under the folder _%SystemRoot%\system32\Window
 
 1. Click **Start**, type **powershell**, and press **Enter**.
 2. Click **Windows PowerShell** to open the interface. 
-    > **Note:**  You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+    > [!NOTE]
+    > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
 3. Enter the command and parameters.
 
 To open online help for any of the cmdlets type the following:
@@ -41,3 +43,7 @@ To open online help for any of the cmdlets type the following:
 Get-Help <cmdlet> -Online
 ```
 Omit the `-online` parameter to get locally cached help.
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

windows/keep-secure/windows-defender-block-at-first-sight.md

@@ -0,0 +1,113 @@
+---
+title: Enable the Block at First Sight feature to detect malware within seconds
+description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy.
+keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Enable the Block at First Sight feature in Windows 10
+
+**Applies to**
+
+- Windows 10, version 1607
+
+Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds. 
+
+You can enable Block at First Sight with Group Policy or individually on endpoints.
+
+## Backend procesing and near-instant determinations
+
+When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
+
+If the cloud backend is unable to make a determination, a copy of the file is requested for additional processing and analysis in the cloud. 
+
+If the Block at First Sight feature is enabled on the client, the file will be locked by Windows Defender while a copy is uploaded to the cloud, processed, and a verdict returned to the client. Only after a determination is returned from the cloud will Windows Defender release the lock and let the file run.
+ 
+The file-based determination typically takes 1 to 4 seconds.
+
+> [!NOTE]
+> Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.
+
+
+## Enable Block at First Sight
+
+### Use Group Policy to configure Block at First Sight
+
+You can use Group Policy to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the backend.
+
+This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
+
+Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work.
+
+**Configure pre-requisite cloud protection Group Policy settings:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies:
+    
+    1.  Double-click the **Join Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
+    
+    1.  Double-click the **Send file samples when further analysis is required** setting and set the option as **Enabled** and the additional options as either of the following:
+    
+        1. Send safe samples (1)
+        
+        1. Send all samples (3)
+
+        > [!NOTE]
+        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
+
+    1. Click OK after both Group Policies have been set.
+
+1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
+    
+    1.  Double-click the **Scan all downloaded files and attachments** setting and set the option to **Enabled**. Click **OK**.
+    
+    1.  Double-click the **Turn off real-time protection** setting and set the option to **Disabled**. Click **OK**.
+
+
+
+**Enable Block at First Sight with Group Policy**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree through **Windows components > Windows Defender > MAPS**.
+
+1.  Double-click the **Configure the <20>Block at First Sight<68> feature** setting and set the option to **Enabled**.
+
+    > [!NOTE]
+    > The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set.
+
+### Manually enable Block at First Sight on Individual clients
+
+To configure un-managed clients that are running Windows 10, Block at First Sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
+
+**Enable Block at First Sight on invididual clients**
+
+1. Open Windows Defender settings:
+
+    a. Open the Windows Defender app and click **Settings**.
+    
+    b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**.
+
+2.	Switch **Cloud-based Protection** and **Automatic sample submission** to **On**.
+
+> [!NOTE]
+> These settings will be overridden if the network administrator has configured their associated Group Policies. The settings will appear grayed out and you will not be able to modify them if they are being managed by Group Policy.
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

windows/keep-secure/windows-defender-enhanced-notifications.md

@@ -0,0 +1,43 @@
+---
+title: Configure enhanced notifications for Windows Defender
+description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network.
+keywords: notifications, defender, endpoint, management, admin
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Configure enhanced notifications for Windows Defender in Windows 10
+
+**Applies to:**
+
+- Windows 10, version 1607
+
+In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
+
+Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
+
+You can enable and disable enhanced notifications  with the registry or in Windows Settings. 
+
+## Configure enhanced notifications
+
+You can disable enhanced notifications on individual endpoints in Windows Settings. 
+
+**Use Windows Settings to disable enhanced notifications on individual endpoints**
+
+1. Open the **Start** menu and click or type **Settings**.
+
+1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Enhanced notifications** section.
+
+1. Toggle the setting between **On** and **Off**.
+
+![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png)
+
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

windows/keep-secure/windows-defender-in-windows-10.md

@@ -31,6 +31,23 @@ Windows Defender provides the most protection when cloud-based protection is ena
 -   Reports and report management
 
 When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
+
+
+### Compatibility with Windows Defender Advanced Threat Protection
+
+Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. 
+
+See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. 
+
+In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
+
+You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+
+
  
 ### Minimum system requirements
 
@@ -48,37 +65,12 @@ For more information about what's new in Windows Defender in Windows 10, see [W
 
 ## In this section
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)</p></td>
-<td align="left"><p>IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Active Directory or WSUS, apply updates to endpoints, and manage scans using:</p>
-<ul>
-<li>Group Policy Settings</li>
-<li>Windows Management Instrumentation (WMI)</li>
-<li>PowerShell</li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)</p></td>
-<td align="left"><p>IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Active Directory and WSUS.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)</p></td>
-<td align="left"><p>IT professionals can review information about <em>event IDs</em> in Windows Defender for Windows 10 and see any relevant action they can take.</p></td>
-</tr>
-</tbody>
-</table>
- 
- 
- 
+Topic | Description
+:---|:---
+[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
+[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
+[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
+[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
+[Enable the Black at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
+[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.

windows/keep-secure/windows-defender-offline.md

@@ -0,0 +1,181 @@
+---
+title: Windows Defender Offline in Windows 10
+description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
+keywords: scan, defender, offline
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Windows Defender Offline in Windows 10
+
+**Applies to:**
+
+- Windows 10, version 1607
+
+Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
+
+In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+
+## Pre-requisites and requirements
+
+Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. 
+
+For more information about Windows 10 requirements, see the following topics:
+
+- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+
+- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
+
+> [!NOTE]
+> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
+
+To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
+ 
+## Windows Defender Offline updates
+
+Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+> [!NOTE]
+> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
+
+For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
+
+## Usage scenarios
+
+In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
+
+The prompt can occur via a notification, similar to the following:
+
+![Windows notification showing the requirement to run Windows Defender Offline](images/defender/notification.png)
+
+The user will also be notified within the Windows Defender client:
+
+![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png)
+
+In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
+
+![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png)
+
+## Manage notifications
+<a name="manage-notifications"></a>
+
+You can suppress Windows Defender Offline notifications with Group Policy. 
+
+> [!NOTE]
+> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
+
+**Use Group Policy to suppress Windows Defender notifications:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender > Client Interface**.
+
+1.  Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
+
+## Configure Windows Defender Offline settings
+
+You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications. 
+
+For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
+
+-	[Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
+
+-	[Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
+
+For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
+
+## Run a scan 
+
+Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
+
+> [!NOTE]
+> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. 
+
+You can set up a Windows Defender Offline scan with the following:
+
+-	Windows Update and Security settings
+
+-	Windows Defender
+
+-	Windows Management Instrumentation
+
+-	Windows PowerShell
+
+-	Group Policy
+
+> [!NOTE]
+> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
+
+**Run Windows Defender Offline from Windows Settings:**
+
+1.	Open the **Start** menu and click or type **Settings**.
+
+1.	Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
+
+1.	Click **Scan offline**. 
+
+    ![Windows Defender Offline setting](images/defender/settings-wdo.png)
+
+1.	Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+
+**Run Windows Defender Offline from Windows Defender:**
+
+1.	Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. 
+
+1.	On the **Home** tab click **Download and Run**.
+
+    ![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png)
+
+1.	Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
+
+
+**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
+
+Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
+ 
+The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
+
+```WMI
+wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start 
+```
+
+For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
+
+-	[Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) 
+
+-	[MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
+
+**Run Windows Defender Offline using PowerShell:**
+
+Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan. 
+
+For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
+
+## Review scan results
+
+Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan. 
+
+1.	Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. 
+
+1.	Go to the **History** tab.
+
+1.	Select **All detected items**.
+
+1.	Click **View details**.
+
+Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
+
+![Windows Defender detection source showing as Offline](images/defender/detection-source.png)
+
+## Related topics
+
+- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)