Has anyone ever seen an issue in Cisco Umbrella where, when a roaming computer tries to access a website, that it tries to access the site as the built-in windows administrator account instead of the logged-in windows user? I've now seen this occur at least twice and it's not clear what causes it. For one user, it resolved itself after the user restarted I believe (maybe that user simply logged out of widows and back into it), so I had chalked this up to that user continually locking the machine and never signing out at the end of the day. However, just this morning, we had one user that It switched from accessing websites as his username to using the built-in windows administrator account and then it switched back. As a result, for those 11 minutes, he was receiving the default policy instead of receiving a custom policy that should be applied to him. This was causing the machine to be blocked from accessing a website that he and a select few people should be able to access, as he is in a custom group whereas most other users are not.

I was just wondering if anyone had ever seen this and if there is a known root cause? I will note that in both aforementioned cases, I have only seen this on laptops that use either the Umbrella Roaming Client or the Cisco AnyConnect Umbrella Roaming Module. (We used to use the former, but after all users were given VPN access, we switched to the latter since this nicely integrates into the Cisco AnyConnect Security Mobility Client.) Thanks in advance for any insight.