Description

Endpoint has a self healing feature on Windows at the Enterprise subscription level (@roxana-gheorghe can you confirm I got the subscription level right?). When enabled, Endpoint will undo recent file system changes when prevention alerts are triggered. This feature uses Windows's Volume Snapshot Service service. Although it is uncommon for this to cause issues on computers, users can disable this Endpoint feature if needed.

There are two reasons Endpoint may use the Volume Snapshot Service. The first is if Enterprise users use the advanced policy option windows.advanced.alerts.rollback.self_healing.enabled to enable the prevention feature. If it was enabled and is causing issues it needs to be turned back off.

Endpoint may also use the Volume Snapshot Service as a part of Elastic's effort to ensure the feature works properly even when it isn't in enforcement mode. Users can explicitly opt out of that by setting the windows.advanced.diagnostic.rollback_telemetry_enabled option to false.

Notes

Can we document this as a new Endpoint troubleshooting page, unless there is somewhere else this information may be more relevant?

cc @nfritts @bit-envoy @joe-desimone to correct me if anything I stated is wrong.