We have created indicators to allows specific exe's run from vendor USB drives. It seems to be working on a few machines only. All machines are hybrid joined in Intune, onboarded in Defender.  All policies  that we've created in Endpoint manager work on these machines. 

How can we determine if these indicators have applied to these machines? Or are the indicators checked in Real Time?