Hi @testuser7 ,
Thanks for your post!
Yes, it is mandatory. Hybrid certificate trust deployments need the device writeback feature, and this is mentioned in the prerequisites for the setup guide.
If users are synchronized and devices are not, there can be Windows Hello for Business certificate enrollment failures. Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory, and therefore the device writeback is used to update the msDS-KeyCredentialLink on the computer object.
Sources:
-
If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.