diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 6529e078f2..ee43db38e2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -116,7 +116,7 @@ Before you continue with the deployment, validate your deployment progress by re
 The service account used for the device registration server depends on the domain controllers in the environment.  
 
 >[!NOTE]
->Follow the procedures below based on the domain controllers deployed in your environment.  If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+> Follow the procedures below based on the domain controllers deployed in your environment.  If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
 
 ### Windows Server 2012 or later Domain Controllers
 
@@ -146,7 +146,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 ## Configure the Active Directory Federation Service Role
 
 >[!IMPORTANT]
->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+> Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
 
 ### Windows Server 2012 or later Domain Controllers
 
@@ -275,7 +275,8 @@ Sign-in a certificate authority or management workstations with _domain administ
 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.
 6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
-> [!NOTE]
+
+>[!NOTE]
 > The preceding step is very important.  Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate.  You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
 
 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
@@ -360,6 +361,30 @@ Active Directory Federation Server used for Windows Hello for Business certifica
 
 Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful.  If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate.  You can view the AD FS event logs to determine the status of the enrollment agent certificate.
 
+### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service
+Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script:
+
+>[!TIP] 
+> Make sure to change the $enrollmentService and $configNC variables before running the script.
+
+```Powershell
+# Replace this with your Device Registration Service endpoint
+$enrollmentService = "enterpriseregistration.contoso.com"
+# Replace this with your Active Directory configuration naming context 
+$configNC = "CN=Configuration,DC=corp,DC=contoso,DC=org" 
+ 
+$de = New-Object System.DirectoryServices.DirectoryEntry
+$de.Path = "LDAP://CN=Device Registration Configuration,CN=Services," + $configNC
+
+$deSCP = $de.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint")
+$deSCP.Properties["keywords"].Add("enterpriseDrsName:" + $enrollmentService)
+$deSCP.CommitChanges()
+```
+
+>[!NOTE] 
+> You can save the modified script in notepad and save them as "add-scpadfs.ps1" and the way to run it is just navigating into the script path folder and running .\add-scpAdfs.ps1.
+>
+
 ## Additional Federation Servers
 
 Organizations should deploy more than one federation server in their federation farm for high-availability.  You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more.  This largely depends on the number of devices and users using the services provided by the AD FS farm.