• Carbon Black Cloud: All Sensors version 3.2 and above
• Carbon Black Cloud Console:
• Microsoft Windows 10
• Microsoft Windows Server 2012

• This is a known limitation of the product.
• Engineers are currently planning work to improve this functionality in a future release of the sensor and back end. 
• One possible workaround to this is to login to the machine directly and uninstall/reinstall the sensor. 

The user field is populated by the installing user (for attended installs) or the best guess of the user that was online when it installed (for unattended installs).

3.5.x.x and higher sensor behavior is to enumerate the logged on users at the time of sending the status message and find the interactive user with the most recent logon time.   The status message is sent once after a restart and then every 8 hours after that or every 15 minutes when in bypass.  The status message can also be sent for various triggers such as network changes, if the status of the local scanner changes (sig pack update or enable/disable), when the LR session is established/closed, VDI reregistration, or network quarantine status change.

The plan is to change the sensor to continuously monitor the users logged on so that we don't have to enumerate at time of the status message and so it's more deterministic.