When the EDR is redeployed, renamed, or upgraded and the SEPM connection is not removed beforehand, the previous SEPM's EDR exception policies may still exist if not manually removed. If this happens, this can create a possibility of duplicating exception policies exceeding the 65,000 exception limit, which in turn may cause High CPU of the SEP client.
For example:
EDR 4.x, SEPM 14.x
The following steps should guide you to identify and clean up what left over policies from previous EDR connections
1) Remove the EDR's SEPM connection
2) Open the SEPM's Exception Policy and remove any EDR "Source" policies
3) Open the SEPM's 'System Lockdown' policy and remove any EDR "Fingerprint Lists"
4) Add the EDR's SEPM connection