Device Posture - Defender and Defender ATP

Hi Community,

currently we are looking for a possibility to check if the Microsoft Defender/Defender ATP is active and running.
Any Idea how to achieve that?

With MacOS we are using the process check - but on Windows the path is different with different versions.

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2102.3-0\MsMpEng.exe


If someone is searching - it got implemented as a separated Device Posture check by Zscaler for Mac and Windows

Hi Tim,

i am looking for thumbprint for ms defender ATP in mac os , do you know where to look ?


Hi - I would recommend this thread. That helped me.
But - The Zscaler Posture check for Defender has been implemented. I’m not sure if you still need this.

Finding a Signer Certificate Thumbprint for Process Check posture profiles in Windows and MacOS - Private Access - Zenith (


Please note the built in Posture Check type for Defender does not work with Defender ATP, these have different digital signatures. For Windows using Defender ATP i created a new posture check based on the process as follows.

Name : MD-ATP

Type: Process Check

Platform: Windows

Path = C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

Thumbprint = 7b2177e03d07812a5a5842565a647db565f77bb8

I applied this to my Access Policies and was able to access, if I used the built in version it fails as it looks for ecd8ccdd9fd6f6fd7f972a6eaf766305b607fcba

Hope this helps.