diff --git a/docs/troubleshooting/ts-management.asciidoc b/docs/troubleshooting/ts-management.asciidoc index 596b4827f5..b228523328 100644 --- a/docs/troubleshooting/ts-management.asciidoc +++ b/docs/troubleshooting/ts-management.asciidoc @@ -222,4 +222,32 @@ sudo /Library/Elastic/Endpoint/elastic-endpoint test install If the command output doesn't contain a message about enabling Full Disk Access, the approval was successful. +==== + +[discrete] +[[disable-self-healing]] +.Disable {elastic-defend}'s self-healing feature on Windows +[%collapsible] +==== + +[discrete] +[[self-healing-vss-issues]] +==== Volume Snapshot Service issues + +{elastic-defend}'s self-healing feature rolls back recent filesystem changes when a prevention alert is triggered. This feature uses the Windows Volume Snapshot Service. Although it's uncommon for this to cause issues, you can turn off this {elastic-defend} feature if needed. + +If issues occur and the self-healing feature is enabled, you can turn it off by setting `windows.advanced.alerts.rollback.self_healing.enabled` to `false` in the integration policy advanced settings. Refer to <> for more information. + +{elastic-defend} may also use the Volume Snapshot Service to ensure the feature works properly even when it's turned off. To opt out of this, set `windows.advanced.diagnostic.rollback_telemetry_enabled` to `false` in the same settings. + +[discrete] +[[self-healing-compatibility-issues]] +==== Known compatibility issues + +There are some known compatibility issues between {elastic-defend}'s self-healing feature and filesystem replication features, including https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/dfsr-overview[DFS Replication] and Veeam Replication. This may manifest as `DFSR Event ID 1102`: + +`The DFS Replication service has temporarily stopped replication because another application is performing a backup or restore operation. Replication will resume after the backup or restore operation has finished.` + +There are no known workarounds for this issue other than to turn off the self-healing feature. + ==== \ No newline at end of file