diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 4bd92ff06f..b05c43ed2b 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -94,6 +94,34 @@ It's possible that you might revoke data from an unenrolled device only to later
The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
+**To quickly recover WIP-protected desktop data after unenrollment in a cloud-based environment**
+If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences.
+
+>[!IMPORTANT]
+>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
+
+1. Have your employee sign in to the unenrolled device, open the Run command (Windows logo key + R), and type:
+
+ `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> * /EFSRAW`
+
+ -or-
+
+ `Robocopy “{X:\}System Volume Information\EDP\Recovery\ ” <“new_location”> * /EFSRAW`
+
+ Where the keys are stored either within the employee's profile or, if the employee performed a clean installation over the operating system, in the System Volume folder. Also, where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
+
+2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
+
+ `cipher.exe /D <“new_location”>`
+
+3. Have your employee sign in to the unenrolled device, open the Run command, and type:
+
+ `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”`
+
+4. Ask the employee to lock and unlock the device.
+
+ The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
+
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
index 44605fccd9..0067c51efa 100644
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@@ -38,11 +38,9 @@ During the policy-creation process in Intune, you can choose the apps you want t
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
->[!IMPORTANT]
->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+ >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
->[!NOTE]
->If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+>**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
#### Add a store app rule to your policy
For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
@@ -71,9 +69,6 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for Store apps without installing them**
1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
- > [!NOTE]
- > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
-
>**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.