edits + resolves 104098, 102980

Author: GitHubber17

articles/virtual-machines/extensions/key-vault-windows.md

@@ -576,6 +576,12 @@ By default, Administrators and SYSTEM receive Full Control.
 
 The extension relies on the default behavior of the [PFXImportCertStore API](/windows/win32/api/wincrypt/nf-wincrypt-pfximportcertstore). By default, if a certificate has a Provider Name attribute that matches with CAPI1, then the certificate is imported by using CAPI1 APIs. Otherwise, the certificate is imported by using CNG APIs.
 
+#### Does the extension support IIS certificate autobinding?
+
+No. The Azure Key Vault VM extension doesn't support IIS automatic rebinding. The automatic rebinding process requires certificate services lifecycle notifications, and the extension doesn't write a certificate-renewal event (event ID 1001) upon newer versions.
+
+The recommended approach is to use the Key Vault VM extension schema's `linkOnRenewal` property. Upon installation, when the `linkOnRenewal` property is set to `true`, the previous version of a certificate is chained to its successor via the `CERT_RENEWAL_PROP_ID` certificate extension property. The chaining enables the S-channel to pick up the most recent (latest) valid certificate with a matching SAN. This feature enables autorotation of SSL certificates without necessitating a redeployment or binding.
+
 ### View extension status
 
 Check the status of your extension deployment in the Azure portal, or by using PowerShell or the Azure CLI.