Updates.

Author: roygara

articles/virtual-machines/image-version-encryption.md

@@ -36,6 +36,8 @@ This article requires that you already have a disk encryption set in each region
 
 When you're using customer-managed keys for encrypting images in an Azure Compute Gallery, these limitations apply:
 
+- Encryption key sets must be in the same subscription as your image.
+
 - Encryption key sets are regional resources, so each region requires a different encryption key set.
 
 - After you've used your own keys to encrypt an image, you can't go back to using platform-managed keys for encrypting those images.

includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md

@@ -11,7 +11,6 @@
 ---
 - Only [software and HSM RSA keys](../articles/key-vault/keys/about-keys.md) of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
     - [HSM](../articles/key-vault/keys/hsm-protected-keys.md) keys require the **premium** tier of Azure Key vaults.
-- Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys. Your disks and their images must be in the same subscription, the keys used to encrypt your disks can be in a different subscription.
 - For Ultra Disks only: Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
 - Most resources related to your customer-managed keys (disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
     - Azure Key Vaults may be used from a different subscription but must be in the same region as your disk encryption set. As a preview, you can use Azure Key Vaults from [different Azure Active Directory tenants](../articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md).