You can change it. Basically, if it is "disabled" heuristics are turned off. If it is a "very low", or "low", or any other setting than disabled, it will reach out to what I will call mcafees heuristic engines for analysis.
It is up to you whether or not. If it were me and my domain controller, I would be cautious turning on heuristics, because it is behavioral based, and could generate a number of false positives, thus causing outages.
I understand the settings and how to change them. At this point I'll leave it as is.
I'm just surprised that the 2 Domain Controllers show that heuristics are disabled for a Full Scan. This apparently is a default setting on install b/c no other machines installed with heuristics disabled.
As I said, it does not appear in any documentation.
You should set the GTI settings (heuristcal network check) to medium for every machine for both OAS and ODS. The only time you go higher is when you have a machine you highly suspect is infected.
If GTI is going to false on file reputations it is likely to do it over a program that has some one of the zillions of packers out there. Normally I see this as the installers for printer drivers (not the actual drivers) or some very small free programs. The file reputations for pretty much everything on the Windows installer images are well-known and already whitelisted within the GTI Skynet AI thingy (secret internal technical name).