NetNXT Logo

How to Fix SentinelOne Blocking VSS and Causing Backup Failures?

January 19, 2026
2 min read
ByNetNXT

The Problem

SentinelOne’s anti-tamper mechanism protects the Volume Shadow Copy Service (VSS) to prevent ransomware from deleting snapshots. However, this often aggressively blocks legitimate backup software (Veeam, Datto, Windows Backup) from modifying or resizing the shadow storage, causing backup jobs to fail.

Symptoms

  • Windows Backup logs show error 0x8078014D ("Failure in updating backup for deleted items").

  • Veeam fails with "VSS Writer failed" or "Snapshot creation failed."

  • Disabling the S1 Agent temporarily fixes the backup.

The Solution: Policy Override (VSS Configuration)

You cannot just "exclude" VSS; you must inject a JSON configuration to tell the agent to allow storage resizing.

  1. Log in to SentinelOne Console > Sentinels > Policy.

  2. Select the specific policy applied to your Servers.

  3. Go to the Actions menu > Edit Policy > Agent Configuration.

  4. Look for the VSS Config or Configuration Overrides section (often hidden under "Advanced").

  5. Paste the following JSON Override:

{
  "vssConfig": {
    "storageResize": {
      "shouldResize": true,
      "percentageOfDisk": 15
    },
    "vssProtection": true
  }
}
  • shouldResize: true – Allows the agent to automatically resize shadow storage if the backup app needs more space.

  • percentageOfDisk: 15 – Limits VSS usage to 15% of the disk (prevents runaway snapshots).

  1. Save the policy.

  2. Reboot the server to apply the low-level driver change.

Note: If you still see issues, verify that no other security product (e.g., legacy Defender) is also trying to lock VSS.

FAQ

1) Why does SentinelOne block VSS and cause backup failures?

SentinelOne protects VSS to prevent ransomware deletion, but this can block legitimate backup software from resizing shadow storage, causing snapshot or writer failures.

2) Why doesn’t excluding VSS fix SentinelOne backup issues?

VSS cannot be excluded like files or folders. SentinelOne requires a policy-level JSON override to allow controlled shadow storage resizing for backup operations.

3) What SentinelOne error codes indicate VSS blocking issues?

Common indicators include Windows Backup error 0x8078014D, VSS Writer failures, and snapshot creation errors in backup tools like Veeam or Datto.

4) What does the SentinelOne VSS JSON override do?

The override allows SentinelOne to permit controlled shadow storage resizing while maintaining VSS protection, preventing both ransomware abuse and backup failures.

5) Why is a reboot required after applying the VSS policy override?

The VSS configuration change affects low-level drivers. A reboot is required to reload the SentinelOne agent with the updated VSS handling behavior.

Was this article helpful?