This sounds like a pain in the ass to maintain. Either you are trusting Microsoft to give you a whitelist of “good” domains or you have the IT department having to jump to action every time a user tries to connect to a new site. If you are just using it to track dns queries then you have to trust that the whole software suite of the organization is playing nice and not using any hard-coded IP addresses or doing any dns lookups in a bad way, which with custom legacy software, good luck.

Also, is this just a server change, or will all the client boxes have to be updated for this? That will be a pain in any network with a mix of OSes on it.

I’m still going to use my adblocking DNS