Device authenticates instead of user

The request is authenticated and that user is assumed to be correct for several minutes.  Roughly every four minutes it is reauthenticated.

If the first authentication request is actually by the Windows system itself (for example Windows Update) then windows will send the computer name as the user.  Because that is the user for that request.  It will consider it that user until reauthentication.  On reauth hopefully it is authenticating a real user request and then the logged in user will switch to the real one.  Note: reauthentication will never switch from a user to a computer.

For most customers that means you might get a little bit of wrong auth, but it automatically correct itself and then stays corrected.  As far as I know due to background data most customers have the user authenticated for days.  That means an initial authentication only happens infrequently.

You could potentially disallow all computers from logging in.  Then if the first requests to Windows Update (for example) would be blocked.  When real user requests come in it would authenticate correctly with a user, and then Windows Update would work.  I've never done this and am curious to see if it would work.  You would need to go to the computer user that is created on the XG, edit and...  I think set Network Traffic to None.

Alternately set a firewall rule that applied to user and groups and put in all your computers.  Give them a limited web policy.  Or if you want you can use the same firewall rule and web policy, just set the rules within the web policy user to apply to users and groups as you see appropriate.

The request is authenticated and that user is assumed to be correct for several minutes.  Roughly every four minutes it is reauthenticated.

If the first authentication request is actually by the Windows system itself (for example Windows Update) then windows will send the computer name as the user.  Because that is the user for that request.  It will consider it that user until reauthentication.  On reauth hopefully it is authenticating a real user request and then the logged in user will switch to the real one.  Note: reauthentication will never switch from a user to a computer.

For most customers that means you might get a little bit of wrong auth, but it automatically correct itself and then stays corrected.  As far as I know due to background data most customers have the user authenticated for days.  That means an initial authentication only happens infrequently.

You could potentially disallow all computers from logging in.  Then if the first requests to Windows Update (for example) would be blocked.  When real user requests come in it would authenticate correctly with a user, and then Windows Update would work.  I've never done this and am curious to see if it would work.  You would need to go to the computer user that is created on the XG, edit and...  I think set Network Traffic to None.

Alternately set a firewall rule that applied to user and groups and put in all your computers.  Give them a limited web policy.  Or if you want you can use the same firewall rule and web policy, just set the rules within the web policy user to apply to users and groups as you see appropriate.