Thanks for the responses,
I believe it may be Exploit Guard again causing the issue. It only happens on Excel however that is where policies from Exploit Guard are assigned. In the XML change:
EnableExportAddressFilter = "false"
EnableExportAddressFilterPlus="false"
I haven't heard back from the user yet so hopefully that fixes the issue. I will keep you posted if there is any development.
Update: This was not the case, user is facing the same issues this morning but after a reboot.
FROM A REDDIT POST
"Hi All. We have found out the issue here. It is the Security Baseline, specifically the XML configuration in Exploit Guard. Edit the XML to remove EnableRopSimExec="true" from EXCEL.EXE.
If you have impacted users, if you have admin rights on the Intune machine you can do this via the GUI:
Start > Windows Security > App & browser control left-hand option > Exploit protection settings > Program settings > search for Excel.exe > Edit > and TURN OFF "Simulate execution (SimExec)"