If you have the Microsoft Windows Malicious Software Removal Tool installed on your machine, either by having installed it manually or because it shipped with Windows, you may have noticed already that it is sending out so called Heartbeat Reports after certain scans.
These reports are not linked to any of the major telemetry services or tasks that you may or may not have disabled on your machine.
On Windows 10, the Heartbeat report gets sent out to Microsoft even if you have disabled the Customer Experience Program and the majority of other telemetry related services or tasks, and made sure to set all privacy related settings to maximum privacy.
How to disable Heartbeat Telemetry
First thing you may want to do is check whether the installed copy of the Windows Malicious Software Removal Toll (MRT) sents Heartbeat telemetry reports.
The easiest way to check that is to load the MRT log. Open File Explorer or Windows Explorer on your Windows machine, and load the following by pasting it in the address bar and hitting the Enter-key: C:Windowsdebugmrt.log
This opens the MRT log. Scroll down to the last entries and check for Heartbeat Telemetry there. You may also hit F3 to open the search to jump to the first Heartbeat entry in the log.
Heartbeat Telemetry data is not sent out each day according to the log, but only every five or six days. You can verify that in the log as you will find “Heartbeat Will be Sent in x Days” entries there.
Microsoft notes in its privacy statement that the Malicious Software Removal Tool will sent a report to Microsoft with “specific data about malware detected, errors, and other data about your device” but fails to go into details.
We don’t know what is sent to Microsoft as part of Heartbeat other than the information that Microsoft revealed in its privacy statement.
Option 1: Registry Key
The Knowledgebase support article KB891716, Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment, lists a Registry key to block the sending of reports of the MRT to Microsoft.
An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers. If this registry key value is set, the tool will not report infection information back to Microsoft.
Subkey: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT
Entry name: DontReportInfectionInformation
Type: REG_DWORD
Value data: 1
Note: Since Heartbeat is only triggered when automatic scans are run, it is too early to say if setting the key disables the sending of reports completely. I will monitor the situation and will update the article with my findings later.
- Tap on the Windows-key, type regedit.exe and hit the Enter-key.
- Navigate to the key: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT
- Right-click on MRT and select New > Dword (32-bit) Value from the context menu.
- Name the name Dword DontReportInfectionInformation
- Double-click the newly created Dword and set its value to 1.
Option 2: Disable the MRT Task, or Disable Heartbeat Telemetry
Since MRT is run automatically, it must be triggered somewhere. If you check the Task Scheduler for MRT related tasks, you will eventually find the one task that Windows uses for that.
Note: Disabling the task disables automatic MRT scans on the system. Make sure you have proper antivirus software installed on the device.
- Tap on the Windows-key, type Task Scheduler, and hit the Enter-key.
- Use the sidebar folder structure and go to Task Scheduler Library > Microsoft > Windows > RemovalTools.
- Right-click on MRT_HB and select disable from the context menu.
If you compare the last run time with the Malicious Software Removal Tool log, you will notice that they match. Also, the _HB part is a strong indicator that this is what is triggering the Heartbeat reports.
If you check the command switches used, you will notice the undocumented switch /EHB. You could remove the switch from the command to keep automatic scans without Heartbeat report generation enabled.
I verified that /EHB is indeed the trigger for Heartbeat Telemetry. If you remove it, no Heartbeat reports are created when the scan runs.
You may need to check back regularly though as Windows Updates may replace the custom task with the default one.
Now You: Did the Microsoft Windows Malicious Software Removal Tool send out Heartbeat Telemetry reports on your machine?