Intune Device Control polices in Attack Surface Reduction not Merging
We've started deploying attack surface reduction polices in the form of device control polices under, Endpoint Security > Attack Surface Reduction > Create Policy > Windows 10 and later > Device Control, The polices are setup to first block devices classes, which works, and then unblock specific devices by instance ID's, this works fine when only one allow list is assigned to a device, however we have a few overlapping lists with different department having devices unblocked and then those same departments being included on a different list for unblocking printers.
According to Microsoft's documentation these polices should merge into one allow list.
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy#policy-merge-for-settings
That doesn't happen and instead when a device is synced it seems to randomly choose which list to add to the AllowInstanceIDs, we can see the list change in the registry after every sync with it switching between allow lists.
Is there something we've missed to get policy merging working with device control through attack surface reduction, or does this just not work properly on Intune?