This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 35%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
We've started deploying attack surface reduction polices in the form of device control polices under, Endpoint Security > Attack Surface Reduction > Create Policy > Windows 10 and later > Device Control, The polices are setup to first block devices classes, which works, and then unblock specific devices by instance ID's, this works fine when only one allow list is assigned to a device, however we have a few overlapping lists with different department having devices unblocked and then those same departments being included on a different list for unblocking printers.
According to Microsoft's documentation these polices should merge into one allow list.
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy#policy-merge-for-settings
That doesn't happen and instead when a device is synced it seems to randomly choose which list to add to the AllowInstanceIDs, we can see the list change in the registry after every sync with it switching between allow lists.
Is there something we've missed to get policy merging working with device control through attack surface reduction, or does this just not work properly on Intune?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Joshua Roles , Thanks for posting in Q&A. From your description, it seems the policy merger for device control profiles are not working.
To check our issue, could you choose one affected device and collect the following information to us?
Please collect the above information and if there's any update, feel free to let us know.
Here's the screenshots of the policies and the list of reg keys that are created when each policy seems to apply, which policy successfully applies appears to be random, so which policy is successful applied on the reporting on endpoint changes.
@Joshua Roles , Thanks for your update. The phenomenon is strange. Then I go to check in my lab, I find the setting "Allow hardware device installation by device instance identifiers" is not in my environment. It seems the settings have updated.
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-profile-settings#device-control
Then I go to do more researching, but didn't find the same issue as yours. Here, I suggest to open case to get more help:
https://learn.microsoft.com/en-us/mem/get-support
Thanks for your understanding.