[8.16] Document how to troubleshoot Defend's self-healing feature on Windows (backport #6361) (#6386)

mergify[bot] · natasha-moore-elastic · github-actions[bot] · web-flow · commit 4cac5b6ba98e · 2025-01-06T15:28:35.000Z
* Document how to troubleshoot Defend's self-healing feature on Windows (#6361) * Document how to troubleshoot Defend self-healing * Adds serverless docs * Adds compatibility issues * Apply suggestions from code review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit c4db057) # Conflicts: # docs/serverless/troubleshooting/troubleshoot-endpoints.asciidoc * Delete docs/serverless directory and its contents --------- Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
diff --git a/docs/troubleshooting/ts-management.asciidoc b/docs/troubleshooting/ts-management.asciidoc
@@ -222,4 +222,32 @@ sudo /Library/Elastic/Endpoint/elastic-endpoint test install
 
 If the command output doesn't contain a message about enabling Full Disk Access, the approval was successful.
 
+====
+
+[discrete]
+[[disable-self-healing]]
+.Disable {elastic-defend}'s self-healing feature on Windows
+[%collapsible]
+====
+
+[discrete]
+[[self-healing-vss-issues]]
+==== Volume Snapshot Service issues
+
+{elastic-defend}'s self-healing feature rolls back recent filesystem changes when a prevention alert is triggered. This feature uses the Windows Volume Snapshot Service. Although it's uncommon for this to cause issues, you can turn off this {elastic-defend} feature if needed.
+
+If issues occur and the self-healing feature is enabled, you can turn it off by setting `windows.advanced.alerts.rollback.self_healing.enabled` to `false` in the integration policy advanced settings. Refer to <<self-healing-rollback>> for more information.
+
+{elastic-defend} may also use the Volume Snapshot Service to ensure the feature works properly even when it's turned off. To opt out of this, set `windows.advanced.diagnostic.rollback_telemetry_enabled` to `false` in the same settings.
+
+[discrete]
+[[self-healing-compatibility-issues]]
+==== Known compatibility issues
+
+There are some known compatibility issues between {elastic-defend}'s self-healing feature and filesystem replication features, including https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/dfsr-overview[DFS Replication] and Veeam Replication. This may manifest as `DFSR Event ID 1102`:
+
+`The DFS Replication service has temporarily stopped replication because another application is performing a backup or restore operation. Replication will resume after the backup or restore operation has finished.`
+
+There are no known workarounds for this issue other than to turn off the self-healing feature.
+
 ====
