![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 52%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
1,650 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 8%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Hi @Prasant Chettri
Welcome to Microsoft Q&A platform and thanks for posting your query here.
Great question! When you onboard devices in MS Purview with Defender in passive mode, the device might show as "green" and reflect policy updates without the script actually running. This could mean that the policy update is being applied through Defender's passive monitoring, but it doesn't necessarily indicate that the full DLP policy has been enforced yet.
To distinguish between endpoints that are onboarded with the script vs. those that aren't, one way to check is by looking at the device's onboard status in the device management report. However, the most reliable method would be to run the Endpoint DLP test on both types of devices and compare the results. This test should help clarify whether the policy is being actively applied by the Defender or if it's fully enforced via DLP.
Hope this helps. Do let us know if you any further queries.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.