Hi Gurus

Can someone assist with verifying the exact requirements for a Windows Hello for Business setup using the Hybrid Key trust model when all devices are Azure AD hybrid joined i.e. are joined to an AD DS domain that is being synced to Azure AD via AADConnect.

I've been reading docs for hours and I'm confused. If all my devices are Azure AD Hybrid joined and I have  2019 DC's and I have assigned the right certificate template to them I don't need a publicly accessible CRL correct? That is only needed if I have a requirement for Azure AD joined machines to access AD DS resources. This option also requires AADConnect device writeback where Azure AD joined machines are written back to AD DS on premises. 

Do I have this right and will someone put me out of my misery :beaming_face_with_smiling_eyes::beaming_face_with_smiling_eyes:Please don't point me at the MS documentation on this topic as it's got to be the worst documentation I've read in years.

I just need confirmation that I don't need a publicly available CRL for machines that are Azure AD hybrid joined?

Any help would be greatly appreciated...