The short answer is that, yes, Protect does support multiple subnets/domains.
The main thing along with this is that you need to meet all scanning prerequisites for Protect and be able to properly resolve the machines regardless of what subnet/domain they are in.
In the issue you pointed out below it seems that you're only having trouble when you have the VM's added via the "Hosted Virtual Machines" tab within your machine group. The difference with this option is that you are resolving the VM host rather than the individual VM itself. Then the host enumerates the VM's.
-Ensure that you have clicked the "Refresh Server" button before adding VM's to the group when adding via the "Hosted Virtual Machines" tab.
-Verify that correct credentials are supplied for the VM's added to the group.
-Check the scanning and deployment prerequisites from the Help menu within Protect:
I hope this helps. If you need further assistance I'd suggest contacting support directly for this issue.
Finally got it sorted after a lot of back and forth with support.
Scanning, patching and deploying the agent across multiple domains and VMs not on a domain.
* Add VMs by IP
* VMs not on the same domain as the console need a entry in the consoles Host file, or a static entry in the consoles domains DNS record. Note: vms need different computer names (this could be a issue if one domain is dev, one is beta, etc).
* Need a credential per domain. For machines not on a domain (web facing VMs) they need a local login.
* Copy agent to VMs not on a domain, then do the registration from there. VMs on a domain it can be pushed from the console.
* There is two sets of credentials - one in the pop up machine group window (admin) and another when you view by machine view and right click a VM and select machine properties.
Hopes this helps other people.