Support MBAM / Bitlocker Management IIS roles on CMG
Seeing how the Recovery Service endpoint only requires IIS and a Management Point role, would it be feasible to have the endpoint run on CMG?
Internet-based clients in a co-management environment cannot reach the internal MP URL. Unless they use a VPN connection. We could leverage the BitLocker CSP policies available in Intune but that doesn't offer integration with recovery keys stored in the SQL DB, or the Helpdesk and Self-Service portals.
Supporting the MBAM role through CMG could be a quick win.
This is sorely needed, over half of our clients are only connecting in via the CMG and we need to be able to roll out BitLocker to them via MECM.
Popovici Ioan commented
Yeah key escrow via CMG would be awesome, with everyone at home now MBAM is basically useless without VPN