Sure, you need to make sure your AD and device management is clean before starting the process. My point was that once you're bootstraped you shouldn't need a fully manual recovery process.
And I'm pointing out that when your attacker has control of device management they can also disable device management on all the devices after their attack is deployed.