I am posting this as advise. I found an initial answer via a comprehensive search was to turn off secure boot on the affected machine (not what I consider the best solution)
However I resolved the problem by accident whilst I was fixing my Edge Chromium update policies in Endpoint manager to work properly and allow the Beta version on Windows 10 endpoints whilst denying the other 2 variants.
My test machine was still locked down in Defender Endpoint with app restriction turned on after I was testing my skills over the weekend. I quickly released this, and Adobe Reader DC installed just fine afterwards on the endpoint
All machines are managed exclusively via Intune, NO group policy controls applied.
Some poor sod had this problem over 300+ machines. Sorry for you bro.
I did however make an adjustment to Intune for WDAC.