ASR Device Control policy update registry conflict

Hi, I'm working with a customer who's rolling out DfE Device Control and we have come across some strange behaviour when changes to the groups and rules are made from the Intune ASR page.

Reviewing the PolicyGroups and PolicyRules REG_SZ keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager shows that changes are appended to both keys, not replaced, creating a XML stream of legacy policies and groups. Is this expected behaviour?

This creates new policy GUIDs each update which isn't obvious to know if the new policy is active or not and from testing does lead to long delays in devices becoming denied/allowed despite the changes pulled down to these keys. Is there some way to determine the active policy GUID? 

The customer will need to semi-frequently add new USB drives to the allow group/policy which from testing seems to work more reliably if you delete the 2 registry keys, run a sync, and try access the drive than waiting for it to append the updated group and policy XML code-block. Are changes to device groups via Intune meant to automatically update on the machines and follow policy rules?

NB: They are hybrid machines using co-management with only Endpoint Protection workload moved over so far. Machines also onboarded into Defender for Endpoint.

Thanks :)