diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index f92f0b2830..bad47f39e6 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -24,7 +24,7 @@ The recovery process included in this topic only works for desktop devices. WIP
 >[!IMPORTANT]
 >If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<br><br>If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
 
-**To manually create an EFS DRA certificate**
+## Manually create an EFS DRA certificate
 
 1.	On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
 
@@ -46,7 +46,7 @@ The recovery process included in this topic only works for desktop devices. WIP
     >[!Note]
     >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
 
-**To verify your data recovery certificate is correctly set up on a WIP client computer**
+## Verify your data recovery certificate is correctly set up on a WIP client computer
 
 1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. 
 
@@ -60,7 +60,7 @@ The recovery process included in this topic only works for desktop devices. WIP
 
 4.	Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
 
-**To recover your data using the EFS DRA certificate in a test environment**
+## Recover your data using the EFS DRA certificate in a test environment
 
 1.	Copy your WIP-encrypted file to a location where you have admin access.
 
@@ -72,17 +72,19 @@ The recovery process included in this topic only works for desktop devices. WIP
     
     Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
 
-**To quickly recover WIP-protected after unenrollment**
+## Recover WIP-protected after unenrollment
 
-It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
+It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once,.
 
 >[!IMPORTANT]
 >To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 
 
-1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
+1. Have the employee sign in to the unenrolled device, open a command prompt, and type:
     
    `Robocopy` `"%localappdata%\Microsoft\EDP\Recovery"` `"`*`new_location`*`"` `/EFSRAW`
 
+   To start Robocopy in S mode, press the Windows key + R. 
+   
    -or-
 
    If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type: 
@@ -91,7 +93,6 @@ It's possible that you might revoke data from an unenrolled device only to later
 
    Where "*new_location*" is in a different directory. This can be on the employee’s device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
 
-   To start Robocopy in S mode, click Windows key + R. 
 
 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
 
