I agree this was/is correct with Intune, but does this apply with Endpoint Manager? A lot of configuration/policy is set with Endpoint Manager which hardens the devices - without it, ATP could report more vulnerabilities if in an Azure Active Directory only directory, no? 

Spoiler
 

@Mark Aldridge 

www.000webhost.com