Can clients use a PKI that's untrusted

We have two PKI hierarchies, one for our DEV environment and one for production PROD.  Our DEV environment trusts the PROD certificates.  Our SCCM instance (including the MP) uses certs issued by the PROD CA, but does NOT include the DEV CA certificate in the OS's trusted Root CA store.

From what I have read on https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/plan-for-certificates#pki-trusted-root-certificates, I would think that we should be able to just import the DEV CA into the site properties in the SCCM console, and things would work since we'd be "[using] PKI client certificates that don't chain to a root certificate that the management points trust." 

This does not work for us, however. Although the DEV clients select the correct DEV-signed certificate, the IIS on the MP does not accept the client certificate.  Initially, the issue occurred when ccmsetup.exe tried to contact the MP for a list of DPs.  After I followed some steps (https://serverfault.com/questions/1050679/how-to-use-the-client-authentication-issuers-certificate-store-on-windows-serv) with netsh and SendTrustedIssuerList, ccmsetup runs but the installed client fails to register with the MP (untrusted issuer).

I opened a case with Microsoft support, who has just told me that the MP *has* to have the DEV CA in the operating system's trusted store -- which doesn't make sense given what the PlanPKI documentation says.