Device Posture - Defender and Defender ATP

Hi Community,

currently we are looking for a possibility to check if the Microsoft Defender/Defender ATP is active and running.
Any Idea how to achieve that?

With MacOS we are using the process check - but on Windows the path is different with different versions.

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2102.3-0\MsMpEng.exe


If someone is searching - it got implemented as a separated Device Posture check by Zscaler for Mac and Windows

Hi Tim,

i am looking for thumbprint for ms defender ATP in mac os , do you know where to look ?


Hi - I would recommend this thread. That helped me.
But - The Zscaler Posture check for Defender has been implemented. I’m not sure if you still need this.

Finding a Signer Certificate Thumbprint for Process Check posture profiles in Windows and MacOS - Private Access - Zenith (


Please note the built in Posture Check type for Defender does not work with Defender ATP, these have different digital signatures. For Windows using Defender ATP i created a new posture check based on the process as follows.

Name : MD-ATP

Type: Process Check

Platform: Windows

Path = C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

Thumbprint = 7b2177e03d07812a5a5842565a647db565f77bb8

I applied this to my Access Policies and was able to access, if I used the built in version it fails as it looks for ecd8ccdd9fd6f6fd7f972a6eaf766305b607fcba

Hope this helps.

We had to do what you did as well. On our macs the built in check only worked on devices running Big Sur and ATP. Since we haven’t upgraded all our Macs we had to create similar policies non-Big Sur macOS.

Hi. I’d raised a support call and now with ZCC the built in ‘defender’ posture check also now works for Defender ATP. I’ve confirmed this is working (for windows not sure about macs).

1 Like