Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md

Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md

@@ -163,6 +163,7 @@ Lastly, we need to adjust the security permissions of the "Domain Controller Aut
     - Right-click "**Domain Controller Authentication**" > Properties
     - Click on the "**Security**" tab
     - Under the "Domain Controllers" permission, ensure that "Allow:Read" is checked, as well as "Enroll" and "Autoenroll", then click "OK"
+        - Repeat the above step except for the "**Domain Controller**" certificate template's properties instead.
 
 ## Create Auto-Enrollment Group Policy
 The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*computers, including domain controllers*) to automatically request, renew, and install certificates from the Enterprise CA (in this case, the Subordinate CA `LAB-CA-02`).
@@ -176,15 +177,25 @@ The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*com
             - Set the Configuration Model to "**Enabled**"
             - Check both checkboxes for "**Renew expired certificates, update pending certificates, and remove revoked certificates**" and "**Update certificates that use certificate templates**"
             - Click "**OK**"
+        - Navigate to "**Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities**"
+            - Right-click the "**Trusted Root Certification Authorities**" folder and select "**Import...**" > Proceed to browse for the `RootCA.cer` that you previously generated.  (*copy it to the domain controller if needed from one of the Certificate Authorities*)
+            - Proceed to import the certificate, clicking-through all of the prompts and confirmations until it finishes the import.
+        - Navigate to "**Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Intermediate Certification Authorities**"
+            - Right-click the "**Trusted Root Certification Authorities**" folder and select "**Import...**" > Proceed to browse for the `LAB-CA-02-SubCA.cer` that you previously generated.  (*copy it to the domain controller if needed from one of the Certificate Authorities*)
+            - Proceed to import the certificate, clicking-through all of the prompts and confirmations until it finishes the import.
 - Run a `gpupdate /force` on your domain controller(s) and give it a few minutes to pull down their new domain controller certificates
 
 ### Validate Auto-Enrollment Functionality
 At this point, you need to check that there is a certificate installed within "**Certificates - Local Computer > Personal > Certificates**" for "Domain Controller Server Authentication"
 
-- PLACEHOLDER
-    - PLACEHOLDER
-    - PLACEHOLDER
-    - PLACEHOLDER
+- Load the Certificate - Local Machine (`certlm.msc`) and navigate to "**Personal > Certificates**" > You should see something similar to the following:
+
+| **Issued To** | **Issued By** | **Expiration Date** | **Intended Purposes** | **Certificate Template** |
+| :--- | :--- | :--- | :--- | :--- |
+| LAB-DC-01.bunny-lab.io | BunnyLab-SubordinateCA-01 | 7/15/2026 | Directory Service Email Replication | Directory Email Replication |
+| LAB-DC-01.bunny-lab.io | BunnyLab-SubordinateCA-01 | 7/15/2026 | Client Authentication, Server Authentication, Smart Card Logon | Domain Controller Authentication |
+| LAB-DC-01.bunny-lab.io | BunnyLab-SubordinateCA-01 | 7/15/2026 | Client Authentication, Server Authentication, Smart Card Logon, KDC Authentication | Kerberos Authentication |
+
 
 !!! warning "Under Construction"
     Section is still being written during lab deployment.