Document how to troubleshoot Defend's self-healing feature on Windows (…

…#6361) * Document how to troubleshoot Defend self-healing * Adds serverless docs * Adds compatibility issues * Apply suggestions from code review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
elastic · Jan 6, 2025 · c4db057 · c4db057
1 parent ed389ce
commit c4db057
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/docs/serverless/troubleshooting/troubleshoot-endpoints.asciidoc b/docs/serverless/troubleshooting/troubleshoot-endpoints.asciidoc
@@ -222,3 +222,31 @@ sudo /Library/Elastic/Endpoint/elastic-endpoint test install
 
 If the command output doesn't contain a message about enabling Full Disk Access, the approval was successful.
 =====
+
+[discrete]
+[[disable-self-healing]]
+.Disable {elastic-defend}'s self-healing feature on Windows
+[%collapsible]
+====
+
+[discrete]
+[[self-healing-vss-issues]]
+=== Volume Snapshot Service issues
+
+{elastic-defend}'s self-healing feature rolls back recent filesystem changes when a prevention alert is triggered. This feature uses the Windows Volume Snapshot Service. Although it's uncommon for this to cause issues, you can turn off this {elastic-defend} feature if needed.
+
+If issues occur and the self-healing feature is enabled, you can turn it off by setting `windows.advanced.alerts.rollback.self_healing.enabled` to `false` in the integration policy advanced settings. Refer to <<security-self-healing-rollback>> for more information.
+
+{elastic-defend} may also use the Volume Snapshot Service to ensure the feature works properly even when it's turned off. To opt out of this, set `windows.advanced.diagnostic.rollback_telemetry_enabled` to `false` in the same settings.
+
+[discrete]
+[[self-healing-compatibility-issues]]
+=== Known compatibility issues
+
+There are some known compatibility issues between {elastic-defend}'s self-healing feature and filesystem replication features, including https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/dfsr-overview[DFS Replication] and Veeam Replication. This may manifest as `DFSR Event ID 1102`:
+
+`The DFS Replication service has temporarily stopped replication because another application is performing a backup or restore operation. Replication will resume after the backup or restore operation has finished.`
+
+There are no known workarounds for this issue other than to turn off the self-healing feature.
+
+====
diff --git a/docs/troubleshooting/ts-management.asciidoc b/docs/troubleshooting/ts-management.asciidoc
@@ -222,4 +222,32 @@ sudo /Library/Elastic/Endpoint/elastic-endpoint test install
 
 If the command output doesn't contain a message about enabling Full Disk Access, the approval was successful.
 
+====
+
+[discrete]
+[[disable-self-healing]]
+.Disable {elastic-defend}'s self-healing feature on Windows
+[%collapsible]
+====
+
+[discrete]
+[[self-healing-vss-issues]]
+==== Volume Snapshot Service issues
+
+{elastic-defend}'s self-healing feature rolls back recent filesystem changes when a prevention alert is triggered. This feature uses the Windows Volume Snapshot Service. Although it's uncommon for this to cause issues, you can turn off this {elastic-defend} feature if needed.
+
+If issues occur and the self-healing feature is enabled, you can turn it off by setting `windows.advanced.alerts.rollback.self_healing.enabled` to `false` in the integration policy advanced settings. Refer to <<self-healing-rollback>> for more information.
+
+{elastic-defend} may also use the Volume Snapshot Service to ensure the feature works properly even when it's turned off. To opt out of this, set `windows.advanced.diagnostic.rollback_telemetry_enabled` to `false` in the same settings.
+
+[discrete]
+[[self-healing-compatibility-issues]]
+==== Known compatibility issues
+
+There are some known compatibility issues between {elastic-defend}'s self-healing feature and filesystem replication features, including https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/dfsr-overview[DFS Replication] and Veeam Replication. This may manifest as `DFSR Event ID 1102`:
+
+`The DFS Replication service has temporarily stopped replication because another application is performing a backup or restore operation. Replication will resume after the backup or restore operation has finished.`
+
+There are no known workarounds for this issue other than to turn off the self-healing feature.
+
 ====