The one component from MBAM which has not so far been included in CM BitLocker Management is the Administration Service. This web service is used as the api entry point for 3rd party systems and custom automation activities for things like retrieving recovery keys.

Seeing how the Recovery Service endpoint only requires IIS and a Management Point role, would it be feasible to have the endpoint run on CMG?

Internet-based clients in a co-management environment cannot reach the internal MP URL. Unless they use a VPN connection. We could leverage the BitLocker CSP policies available in Intune but that doesn't offer integration with recovery keys stored in the SQL DB, or the Helpdesk and Self-Service portals.

Supporting the MBAM role through CMG could be a quick win.

I do not see a way to add a hash to endpoint protection. We had malware recently that endpoint protection did not catch. We have the hash number but I didn't find a way in SCCM to add that.

Since implementing antivirus exceptions are a control gap, please allow windows defender to optionally audit excluded directories in scheduled scans in an audit only mode.

When Application Guard is configured through Group Policy, Enterprise PKI roots can be imported into the Application Guard container, but this setting is not available directly in Configuration Manager.

Adding this setting to Configuration Manager would allow easier configuration, and also prevent having two places where Application Guard is configured.

Please allow to use a Timerange which is more than 30 Days on Advanced Hunting.
The Tenant saves Data for 180 Days, but on Advanced Hunting you can only use 30days as max timerange.
If you was Hunting Malware, you need sometimes more than 30 Days.

Please set an RBAC-Model for the Advanced Hunting Feature, like the RBAC-Model for Log Analytics.
This will give us more control, who can access the critical data from Advanced Hunting.

Support MBAM Services on Windows Server 2016/2019 systems. We have Physical servers with TPM and bitlocked drives but are unable to leverage the MBAM client and policies on Server class operating systems.

Would like to be able to use BitLocker Management portals when using non-standard SQL ports. Currently the install script\configuration requires standard ports in order to be able to install.

Great to see MBAM fully integrated in CM 1910, but the policy does not have any option to enforce the encryption. User can always postpone it.

For more info, see this: https://www.youtube.com/watch?v=kRkyx_-l9QU

Some Attack Surface Reduction Rules are missing in the Windows Defender Exploit Guard settings.

Please include the following Rules:
Block Office communication application from creating child processes
Block Adobe Reader from creating child processes
Block persistence through WMI event subscription

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction

It would be nice to have ability to enable Tamper Protection in defender via SCCM antimalware policy

For policies, especially related to content filtering, it would be great to have much more strict enforcement during business hours than during non-business hours on company equipment.

Alternately this would be a good tool to help enforce usage policies for hourly employees who should not be accessing certain equipment after business hours to ensure there are no labor law violations.

When reporting it would be great to see time of day for activity. For example, I may care less about social media or YouTube usage in evenings on company equipment than during the day.

Be able to manage Controlled Folder Access on Windows Server 2019 from Microsoft Endpoint Configuration Manager

Defender ATP onboarding policy shows error when successful.

It should be possible to deploy a Microsoft Defender ATP Policy to a User collection, not just a Device collection.