Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on WHFB in hybrid environment.
Please do correct me if this is not the case by responding in the comments section.
Enabling the cloud Kerberos trust authentication by following the steps described in: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
- The above docs assist on how to enable passwordless authentication to on-premises resources for environments with both Microsoft Entra joined and Microsoft Entra hybrid joined Windows 10 devices. This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys, or with Windows Hello for Business Cloud trust
Configure the cloud Kerberos trust policy using the steps: https://learn.microsoft.com/en-au/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune#configure-the-cloud-kerberos-trust-policy
This is to be used when you want to deploy cloud kerberos trust. However if you deploy https://learn.microsoft.com/en-us/mem/intune/protect/windows-hello, then then would deploy with regular key trust model.
- Windows Hello for Business cloud Kerberos trust uses Microsoft Entra Kerberos, which enables a simpler deployment when compared to the key trust model.
- Key trust and certificate trust use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
- Cloud Kerberos trust uses Microsoft Entra Kerberos, which doesn't require a PKI to request TGTs.
With Microsoft Entra Kerberos, Microsoft Entra ID can issue TGTs for one or more AD domains. Windows can request a TGT from Microsoft Entra ID when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
Thanks,
Akshay Kaushik
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.