From 3a5c7ce0fd275c7712fe0582bf15518595d338b8 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Mon, 7 Sep 2020 10:30:52 +0300
Subject: [PATCH] add note about Quota

changed note location as requested by mapalko
---
 .../hello-for-business/hello-cert-trust-adfs.md             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index a24af0e830..c6a05e42f4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -145,6 +145,9 @@ Windows Server 2012 or later domain controllers support Group Managed Service Ac
 
 GMSA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers.  Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GMSA.  Before you can create a GMSA, you must first create a root key for the service.  You can skip this if your environment already uses GMSA.
 
+>[!NOTE]
+> If the [default object creation quota for security principles](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d55ca655-109b-4175-902a-3e9d60833012) is set, you will need to change it for the Group Managed Service Account in order to be able to register new devices. 
+
 #### Create KDS Root Key
 
 Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
@@ -152,9 +155,6 @@ Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
 1. Start an elevated Windows PowerShell console.
 2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`.
 
->[!NOTE]
-> If the [default object creation quota for security principles](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d55ca655-109b-4175-902a-3e9d60833012) is set, you will need to change it for the Group Managed Service Account in order to be able to register new devices. 
-
 ### Windows Server 2008 or 2008 R2 Domain Controllers
 
 Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts.  Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis.