elastic · natasha-moore-elastic · Jan 6, 2025 · Jan 6, 2025 · Jan 6, 2025
@@ -222,4 +222,32 @@ sudo /Library/Elastic/Endpoint/elastic-endpoint test install
 
 If the command output doesn't contain a message about enabling Full Disk Access, the approval was successful.
 
+====
+
+[discrete]
+[[disable-self-healing]]
+.Disable {elastic-defend}'s self-healing feature on Windows
+[%collapsible]
+====
+
+[discrete]
+[[self-healing-vss-issues]]
+==== Volume Snapshot Service issues
+
+{elastic-defend}'s self-healing feature rolls back recent filesystem changes when a prevention alert is triggered. This feature uses the Windows Volume Snapshot Service. Although it's uncommon for this to cause issues, you can turn off this {elastic-defend} feature if needed.
+
+If issues occur and the self-healing feature is enabled, you can turn it off by setting `windows.advanced.alerts.rollback.self_healing.enabled` to `false` in the integration policy advanced settings. Refer to <<self-healing-rollback>> for more information.
+
+{elastic-defend} may also use the Volume Snapshot Service to ensure the feature works properly even when it's turned off. To opt out of this, set `windows.advanced.diagnostic.rollback_telemetry_enabled` to `false` in the same settings.
+
+[discrete]
+[[self-healing-compatibility-issues]]
+==== Known compatibility issues
+
+There are some known compatibility issues between {elastic-defend}'s self-healing feature and filesystem replication features, including https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/dfsr-overview[DFS Replication] and Veeam Replication. This may manifest as `DFSR Event ID 1102`:
+
+`The DFS Replication service has temporarily stopped replication because another application is performing a backup or restore operation. Replication will resume after the backup or restore operation has finished.`
+
+There are no known workarounds for this issue other than to turn off the self-healing feature.
+
 ====