Incorporating feedback.

roygara · roygara · commit 36dd585276bd · 2023-02-21T14:31:15.000-08:00
diff --git a/articles/virtual-machines/image-version-encryption.md b/articles/virtual-machines/image-version-encryption.md
@@ -6,7 +6,7 @@ ms.service: virtual-machines
 ms.subservice: gallery
 ms.workload: infrastructure-services
 ms.topic: how-to
-ms.date: 1/11/2023
+ms.date: 02/22/2023
 ms.custom: devx-track-azurepowershell, devx-track-azurecli 
 ms.devlang: azurecli
 ---
@@ -38,6 +38,8 @@ When you're using customer-managed keys for encrypting images in an Azure Comput
 
 - Encryption key sets are regional resources, so each region requires a different encryption key set.
 
+- After you've used your own keys to encrypt an image, you can't go back to using platform-managed keys for encrypting those images.
+
 - VM image version source doesn't currently support customer-managed key encryption.
 
 ## PowerShell
diff --git a/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md b/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md
@@ -11,7 +11,6 @@
 ---
 - Only [software and HSM RSA keys](../articles/key-vault/keys/about-keys.md) of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
     - [HSM](../articles/key-vault/keys/hsm-protected-keys.md) keys require the **premium** tier of Azure Key vaults.
-- Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys. Your disks and their images must be in the same subscription, the keys used to encrypt your disks can be in a different subscription.
 - For Ultra Disks and Premium SSD v2 only: Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
 - Most resources related to your customer-managed keys (disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
     - Azure Key Vaults may be used from a different subscription but must be in the same region as your disk encryption set. As a preview, you can use Azure Key Vaults from [different Azure Active Directory tenants](../articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md).
