This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 88%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hi,
I have been experiencing an issue recently where I open Excel and I can see the process start in Task Manager (with about 30-40% CPU usage) however the application doesn't open. I have been able to get around it by performing a Quick Repair which fixes it briefly however the issue reoccurs.
We recently rolled out Intune and it seems this may be the cause.
Is anyone able to shed any light on this? I have had issues with Outlook crashing and that was caused by Exploit Guard however I wanted to make it known before I go looking elsewhere.
Thanks.
Thanks for the responses,
I believe it may be Exploit Guard again causing the issue. It only happens on Excel however that is where policies from Exploit Guard are assigned. In the XML change:
EnableExportAddressFilter = "false"
EnableExportAddressFilterPlus="false"
I haven't heard back from the user yet so hopefully that fixes the issue. I will keep you posted if there is any development.
Update: This was not the case, user is facing the same issues this morning but after a reboot.
FROM A REDDIT POST
"Hi All. We have found out the issue here. It is the Security Baseline, specifically the XML configuration in Exploit Guard. Edit the XML to remove EnableRopSimExec="true" from EXCEL.EXE.
If you have impacted users, if you have admin rights on the Intune machine you can do this via the GUI:
Start > Windows Security > App & browser control left-hand option > Exploit protection settings > Program settings > search for Excel.exe > Edit > and TURN OFF "Simulate execution (SimExec)"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 99%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKC%3C/text%3E%3C/svg%3E)
Just wanted to say nice one for posting the solution from Reddit Kyle. I had few users with this Excel issue and after updating the Security Baseline's Exploit Guard XML it seems to have sorted them.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 46%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Not a fan of me tooing but we are having the exact same issue across multiple intune tenants - the only commonality being Intune itself.
We removed Intune from one of our, now many, affected devices - this has resolved the issue until we can identify the exact cause. We havent adjusted policies in weeks within Intune which signals a concern that something on Microsoft's end has gone wrong. It would, as always, be great to hear from them on this matter but I won't hold my breath.
anonymous userMoody-3398
Does this issue occur on other Office applications like Word?
Please try to open Excel in safe mode eliminate interference from add-ins and startup items.
Press Win+R, type excel /safe, Enter.
If you can open Excel successfully in safe mode:
> We recently rolled out Intune and it seems this may be the cause.
<< Do you mean that you enrolled your device in Intune to manage?
If yes, please add the Enterprise Context column to the Details tab of the Task Manager.
You could also try to un-enroll your device from Intune to check the issue.
Besides, to better help you, it is recommended to add a tag related to Intune like “mem-intune-enrollment”.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
The fix provided above worked for us, however some users are experiencing issues when using formula's =SUM(A1:A7) and excel crashes.
unsure if its related, however EventID shows
Log Name: Application
Source: Application Error
Date: 12/10/2020 10:19:54 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: xxx
Description:
Faulting application name: EXCEL.EXE, version: 16.0.13127.20910, time stamp: 0x5fcbbcd1
Faulting module name: PayloadRestrictions.dll, version: 10.0.19041.1, time stamp: 0xe257489f
Exception code: 0xc0000409
Fault offset: 0x0006e6d6
Faulting process id: 0x232c
Faulting application start time: 0x01d6ce81bba7b4d8
Faulting application path: C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE
Faulting module path: C:\WINDOWS\SYSTEM32\PayloadRestrictions.dll
Report Id: 2656bb9d-2038-4f3b-8a33-dec13b73cb3a
There was one further thing that was causing us issues, when users tried to use a filter on a spreadsheet it would also then too. Found out that the setting causing this was Validate API Invocation, and I tested it by setting it to off. I amended the xml in the baseline so that the line under Excel read EnableRopCallerCheck="false", in the same way as above.
I've just had a check and using a formula doesn't cause Excel to crash so hopefully this will work for you too...
Thanks this works! Users are not experiencing issues with formulas in excel.
I made the change to the MDM Baseline, hopefully Microsoft comes back with an answer, would like to have both settings enabled back to default when a proper fix comes out.