Windows-itpro-docs: you need to add the CA servers root cert should be added to the non-AD joined win10 machine...?

Yes this is absolutely needed.

The CA cert needs to be installed in Trusted Root - this is not the default action on an import (i think some folks don't know that still, add a clarification that they need to verify it is the Local Computer Trusted Root Store.

The DC cert can go to the local computer default store the wizard uses - in this case the 'other people' store.

Consider adding this clarification to Key Trust and Hybrid Trust docs.

If you have ideas for where the text needs to be updated, you may edit the documents and create a Pull Request for the changes to be evaluated and discussed. Feel free to do so, if you have got the time & motivation.

I may do that, this is a simple change.

I already invested 40+ working hours in trying to get to the bottom of this. I think i have done my part in figuring out a)the issue and b)what was lacking about the docs that made it so hard and taking the time to file multiple actionable pieces of feedback.

But as an ex-MSFT employee my first reaction is this a paid product (not free) so get the product managers / program managers to do their jobs and make sure their docs are clear, concise and actionable - accurate actionable docs is a feature too.

But i suspect i am telling the wrong person as you already know this and likely struggle at getting the devs / pms to actually help. :-(

Fair enough. Sounds good that you have spent that much time on your issues and to get to the bottom of them to find the solutions you needed.

Sure, we can wait for the moderators and tech writers to pick up on this ticket.
Also, as an outsider, I need to wait for more feedback to see what comes next.

@illfated ahh sorry, didn't realized you are an outsider!

Not a problem, never mind. I hope I can be of assistance somehow anyway. My background is computer support + language & grammar knowledge.

@scyto An independent contributor is going to follow up with a Pull Request in accordance with your suggestions. Thank you for taking the time to investigate into the issue further.

Hello, @scyto,
The CA cert needs to be installed in Trusted Root - yes, and as you can see, it is already mentioned in the "Important" section of PKI part of the article.
CA cert is added to the trusted root container when you join computer to AD, so when computer is not a member of AD (for example, it is Azure AD-joined), the certificate must be installed manually.
Thank you

@scyto : Does that answer your question, or do you still find the document article to be so unclear as to require any additional text to clarify this?

Not really the blue box items seem no less or more important than the other bullets, plus for me I had to put the CA cert in the local computer (not user) trusted root. Though maybe I had some other issue, I can retest by putting it in the user store instead?

For the DC cert the bullets don’t say which f the computers stores the DC cert should be put in (I note the default import works). This is different to CA cert were the default import never puts the cert in trusted root.

The most useful doc was the full set of cert instructions in the other PKI based sections, this doc should mirror those.

@MaratMussabekov : Would you be able to follow up on the latest feedback comment above, regarding unclear location of computer store for DC cert and the comparison with the PKI-based sections?

Another contributor is going to follow-up with this issue. Thank you for the discussion.

@scyto - Thank you for all your work and continues feedback. I was planning to add the required missing information. Can you please confirm as you have mentioned that there was another useful doc. Can you please confirm if that document is https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates so that I can mirror the changes or point to this doc from the current document.