Symantec Endpoint Protection (SEP) managed clients switch to User Mode when checking in / registering with the Symantec Endpoint Protection Manager (SEPM).
Clients behavior and are registered as designed.
The main reason was the existing 11.x client installation package that has already been distributed with a User Mode policy.
If a duplicated Windows user account having a general name like "administrator", "admin" or "user" logons to a User Mode SEP client, the User Mode client entry created in SEPM DB.
So this makes an existing computer mode SEP client register as User Mode, if the Windows user is already associated with a User Mode client, logs on to a computer mode machine.
If User Mode package has been distributed already, solution for this issue should be focus on how to manage distributed client package.
For User Mode client entry already created in SEPM DB, please refer Fix below from Release note of RU7 version:
Fix ID: 2084474
Symptom: A Computer-mode client is registered as a User-mode client, which may cause it to change groups inadvertently.
Solution: When a client is switched from User-mode to Computer-mode, all users associated with the record are now deleted
From a SEPM higher build than RU7, switch the User Mode client having "preferred mode = 0" to Computer mode and delete the User Mode client having "preferred mode = 1", this will delete all duplicated User Mode entries from the DB also.
NOTE: But if there is even one SEP client remains in User Mode and the duplicated user account logs on, this situation can happen again.
Symantec Endpoint Protection Manager (SEPM) 11.0.x
Symantec Endpoint Protection (SEP) clients 11.0.x and 12.1.x