Prohibit standard users from adding exclusions to Windows Defender (Windows Security)

Occasional Contributor

Hello there,


How can I prohibit standard users from adding exclusions in Windows Defender?

I would like to only control the Defender-exclusions from a central point and the standard users should not be able to add exclusions themselves.


I've searched through GPO's and settings in Intune but can't seem to find the correct setting. Does anyone know if this is possible? If it is, where is the setting then?


Windows 10 Enterprise, 1903 and 2004. 

Devices are Hybrid Azure AD Joined



2 Replies
best response confirmed by Simon Håkansson (Occasional Contributor)

@Simon Håkansson 


Use Tamper Protection would be my recommendation.