Active Directory Certificate Services (AD CS) - is it like a private CA? or just a glorified self-signed cert maker?

Can Active Directory Certificate Services (AD CS) behave like a third-party CA for domain-joined devices? In other words, can an AD CS issued cert be validated in the same manner as a commercial cert (however that works), or does an AD CS cert require it be added to the trusted root cert store on all computers?

A self-signed cert has to be manually added to the trusted root certificate store on all computers that leverage it, while a certificate issued by a commercial CA (e.g. DigiCert) is trusted automatically by way of the browser validating the cert using the CA's cert web services.

So where does AD CS fit in? My original understanding was that AD CS is like a commercial CA for your domain, and that any domain-joined device using a cert issued by AD CS would automatically trust it the same way it would trust a commercia cert. But I just read some Microsoft documentation that says you still have to manually add the AD CS issued cert to the trusted root cert store on all domain-joined devices. So do domain-joined devices not just automatically see that this is an AD CS cert and make a quick validation request to the AD CS services? And I'm being told by at least one vendor (Patch My PC) that their AD CS issued cert has to be added to both the Trusted Publishers and the Trusted Root Cert Store on each computer.