Exclusion of Users on Policies
If you wish to exclude certain users with a filter from an application policy, follow these general guidelines.
Targeting Administrators with the Exclusion
To target the Administrators group, you need to use a User Context filter and select Administrators for the Built-in Accounts. The out-of-the-box Administrators (Include Disabled) filter (item f9569529-62d4-49ba-aa21-b9362e1f4de6) accomplishes the same. Include disabled text just means the user is a member of the group, but the process may or may not be elevated.
This is an example of a working filter for the Administrators Group:
Targeting new Local Groups (not built-in)
The Local Group Names option can be used to target new local groups. New local groups are user groups that are not considered built-in system or out-of-the-box Windows groups, such as Users, Administrators, Power Users, Backup Users, etc.
For example, create a new local group on a local computer and call the group "Test1". Then add a user to it that you wish to exclude.
In this example, if you configure a filter like this, the following policy should correctly exclude users in the group.