In the most situations it doesn’t matter that the AllowedRootCAHashCode value doesn’t get removed during a Capture of the client, but there is one situation where it does matter. This one situation is when there has to be one image for multiple domains and every domain has its own issuing CA’s. This situation is a problem because the client stores a copy of the Root Certificate in the AllowedRootCAHashCode key. Because it contains the wrong value for the Root Certificate the client isn’t able to get a new Site Signing Certificate (which is also stored in the registry), so the client isn’t able to check the policies.
As workaround for this I created a Task Sequence step (in the install Task Sequence) to delete the HKLM\SOFTWARE\Microsoft\CCM\Security\AllowedRootCAHashCode.
Another workaround (which is probably a bit easier) can be found at the ConfigMgr Technet forum (http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/3ac574ca-c562-4a44-92da-5c640a71c3c6) where I posted this situation. The workaround posted here is to create a Task Sequence step (in the Build and Capture Task Sequence) to delete the whole HKLM\SOFTWARE\Microsoft\CCM\Security\ key.
More information about the Task Sequence Step Prepare ConfigMgr Client for Capture: http://technet.microsoft.com/en-us/library/bb633049.aspx
More information about Renewing or Changing the Site Signing Certificate: http://technet.microsoft.com/en-us/library/bb633098.aspx