This article is based on a discussion, App-ID Windows Remote Management Showing Up As Web-Browsing, posted by @Gun-Slinger and answered by the Support Team. Read on to see the discussion and solution!
We recently upgraded to 10.1.5-h1 and it appears after the upgrade the Windows-Remote-Management traffic over tcp5985 is now being identified as Web-browsing. This is causing that traffic to drop. We checked dynamic updates and presently leveraging the latest update released on 5/16. Seeing if this is a growing issue?
Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.