Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md

Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md

@@ -114,7 +114,11 @@ You will see a finalization screen confirming everything we have configured, it
     You will see a screen telling you that the **Certification Authority Web Enrollment** was successful but it will give a warning about the **Certification Authority**.  The Active Directory Certificate Services installation is incomplete.  To complete the installation, use the request file <file-name> to obtain a certificate from the parent CA [*The RootCA*].  Then, use the Certification Authority snap-in to install the certificate.  To complete this procedure, right-click the node with the name of the CA, and then click "Install CA Certificate".
 
 ### Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02` Configuration Deployment
-At this point, we will need to focus on getting the certificate signing request transferred to `LAB-CA-01` (the rootCA), this can be via temporary network access (sharing a CSR via a SMB network share from `LAB-CA-02`) (not recommended) or via a USB flashdrive (more secure).
+At this point, we will need to focus on getting the certificate signing request generated on `LAB-CA-02` to `LAB-CA-01` (the rootCA), this can be via temporary network access or via a USB flashdrive.
+
+!!! danger
+    If using a USB flashdrive is not viable, don't leave the RootCA on the network any longer than what is absolutely necessary.
+
 - Once the certificate signing request file `C:\LAB-CA-02.bunny-lab.io_bunny-lab-LAB-CA-02-CA.req` is on `LAB-CA-01` (RootCA) we can proceed to get it signed.
 - **PLACEHOLDER**