Just went through some troubleshooting on our Windows Mount host to figure out why MsMpEng.exe (Microsoft Defender) was using high CPU despite KB1999 exclusions, and excluded the "Veeam.ThreatHunterService.exe" by Name to resolve it.
We have all the exclusions listed in https://www.veeam.com/kb1999 but that exe is not specifically called out.
Using ProcessMonitor on the Veeam.ThreatHunterService.exe some access is via C:\VeeamFLR but some is by \Device\HardDiskVdkVolume{id} and the latter was showing up in the process monitor for MsMpEng so excluding more than C:\VeeamFLR seems to be necessary.
We found we had a policy conflict between Active Directory Group Policies, and Intune's Microsoft Defender Policies. We excluded the machine from the GPO using the delegation advanced settings "Deny Apply Group Policy" so we could focus on just one set of policies. We also used the Defender "Troubleshooting" mode that let us temporarily disable tamper and real-time protections and could see the effect on MsMpEng.exe in real time in Task Manager (disabling Real Time Protection dropped it from the top spot and enabling brought it back). We also found we were missing C:\Program Files\Veeam\Backup and Replication\Threat Hunter\ as called out at the top of KB1999 but even with that exclusion Defender was still scanning ahead of Threat Hunter.
The final result was we had to exclude Veeam.ThreatHunterService.exe by process name and that resolved the issue.
HTH someone else someday
