In Symantec Endpoint Protection Manager (SEPM): for SEP 12.1 clients, the logged on user ("Logon user or Computer") field is not reflecting the currently logged on user, but rather the last user that has opened the SEP console on the machine.
In case where it is a new SEP installation the "Logon user" field will with high probability reflect the user that installed the SEP client- "administrator" in most cases. "Logon user" name does not change after another user logs on the computer. The change is only reflected if the newly logged on user opens the SEP console on client. This issue occurs regardless of the communication mode set (Push/Pull).
In case no user is logged on the machine, the "Logon User" field in SEPM will reflect the last logged on user. This is default behavior and is expected.
This issue confirmed as fixed with the SEP 12.1 RU1 MP1 release. To take advantage of all enhancements, fixes and improvements, please upgrade to the latest available release of SEP 12.1. For information on obtaining the latest build of Symantec Endpoint Protection, read How to obtain an update or an upgrade for your Symantec corporate product.
SEP 11.x is not affected by the issue. The change of the "Logon User" field occurs within 5 minutes (default heartbeat settings).
SEP 12.1 RTM and SEP 12.1 RU1 releases are affected. Later versions of SEP 12.1 are not affected.