diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 1d26215059..eb3965f6f1 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -1,6 +1,7 @@
---
title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10)
description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
+keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -15,12 +16,12 @@ ms.pagetype: security
[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
+If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
-The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices.
+The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy.
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).
**To manually create an EFS DRA certificate**
@@ -37,30 +38,32 @@ If you already have an EFS DRA certificate for your organization, you can skip c
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
>**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
+ Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
-4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager.
+4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager.
>**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic.
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic.
-**To verify your data recovery certificate is correctly set up on an EDP client computer**
+**To verify your data recovery certificate is correctly set up on an WIP client computer**
-1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP.
+1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP.
-2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
+2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP.
+
+3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
`cipher /c `
Where *<filename>* is the name of the file you created in Step 1.
-3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
+4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
**To recover your data using the EFS DRA certificate in a test environment**
-1. Copy your EDP-encrypted file to a location where you have admin access.
+1. Copy your WIP-encrypted file to a location where you have admin access.
-2. Install the EFSDRA.pfx file, using your password.
+2. Install the EFSDRA.pfx file, using its password.
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
@@ -68,22 +71,39 @@ If you already have an EFS DRA certificate for your organization, you can skip c
Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx.
-**To recover your EDP-protected desktop data after unenrollment**
+**To quickly recover WIP-protected desktop data after unenrollment**
+It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
+
+>**Important**
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
- `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW`
+ `Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW`
- Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent.
+ Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
-2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing:
+2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
`cipher.exe /D <“new_location”>`
-3. Sign in to the unenrolled device as the employee, and type:
+3. Have your employee sign in to the unenrolled device, and type:
+
+ `Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”`
+
+4. Ask the employee to lock and unlock the device.
+
+ The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
+
+## Related topics
+- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx)
+
+- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx)
+
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
+
+- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
+
+- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA)
- `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”`
-4. Ask the employee to log back in to the device or to lock and unlock the device.
- The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location.