Exclusion of Users on Policies

If you wish to exclude certain users with a filter from an application policy, follow these general guidelines.

Targeting Administrators with the Exclusion

To target the Administrators group, you need to use a User Context filter and select Administrators for the Built-in Accounts. The out-of-the-box Administrators (Include Disabled) filter (item f9569529-62d4-49ba-aa21-b9362e1f4de6) accomplishes the same. Include disabled text just means the user is a member of the group, but the process may or may not be elevated.

This is an example of a working filter for the Administrators Group:

Targeting new Local Groups (not built-in)

The Local Group Names option can be used to target new local groups. New local groups are user groups that are not considered built-in system or out-of-the-box Windows groups, such as Users, Administrators, Power Users, Backup Users, etc.

For example, create a new local group on a local computer and call the group "Test1". Then add a user to it that you wish to exclude.

In this example, if you configure a filter like this, the following policy should correctly exclude users in the group.