Agree, this is a common antimalware control.

How about a scheduled task that makes sure the DNS Agent is running without the need to have the User logged on. Modify this to a scheduled event every 10 minutes so DNS Filter remains on.

C:\Windows\System32\cmd.exe /c net start "DNS Agent" & c:\windows\system32\schtasks.exe /create /tn "MTS_DNSFilter" /ru SYSTEM /Sc ONSTART /tr "C:\Windows\System32\cmd.exe /c sc config 'DNS Agent' start=Auto" /F & C:\Windows\System32\cmd.exe /c sc start 'DNS Agent'"

Yes this needs to be a feature so that users cant turn it off to get around the filtering

Yes, when i'm talking about "service", I mean the windows service in services.msc. @Isaac is correct in that AV companies and Cisco Umbrella (where I've just come from) are able to prevent services from being stopped.

You don't have control of the firewalls everywhere your users are, that's the main point of having an agent. This can definitely be done somehow, AV companies do it.

Not sure how this would work. Probably best to configire a rule on your Firewall. For example, allow tcp/udp port 53 to DNS Filter IP addreeses from lan to wan zone. Deny all other IPs to tcp/udp port 53 from lan to wan zone