In an agentless DSSO (Desktop Single Sign-on) scenario Okta is the one decrypting the Kerberos ticket, finds then the user name, authenticates the user and passes back a session to the browser.
Solution: The statement is entirely valid

With agentless DSSO (Desktop Single Sign-on), you still have a need of deploying IWA Agents in your Active Directory domains to implement DSSO functionality.
Solution: The statement is true, but not for the part about: the deployment of IWA Agents into Active Directory domains. The IWA Agents can now be deployed on whichever machine, it's a unique functionality that only agentless DSSO has and not on-prem DSSO.

On a Windows machine, which is the right behavior if you try to sign into your Okta org and agentless DSSO is properly configured for it?
Solution: You will be automatically redirected to your Load-Balancing Application, if you have one configured, enter credentials for it and then redirected back to Okta org

Which of the following is / are Okta required attributes?
Solution: None of the above

When a user's Okta password is changed:
Solution: All apps that are Provisioning-enabled and have Sync Password option active under Provisioning settings - will begin to sync the password in respective apps