Merge pull request #182129 from msmbaldwin/patch-117

denrea · web-flow · commit 44133d16c60b · 2021-12-07T16:22:31.000-08:00
Update disk-encryption-overview.md
diff --git a/articles/virtual-machines/windows/disk-encryption-faq.yml b/articles/virtual-machines/windows/disk-encryption-faq.yml
@@ -82,7 +82,7 @@ sections:
           To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption. 
           
           >[!WARNING]
-          > - If you have previously used [Azure Disk Encryption with Azure AD app](disk-encryption-windows-aad.md) by specifying Azure AD credentials to encrypt this VM, you will have to continue use this option to encrypt your VM. You can't use Azure Disk Encryption on this encrypted VM as this isn't a supported scenario, meaning switching away from AAD application for this encrypted VM isn't supported yet.
+          > - If you have previously used [Azure Disk Encryption with Azure AD app](disk-encryption-windows-aad.md) by specifying Azure AD credentials to encrypt this VM, you must continue to use this option. Using Azure Disk Encryption without AAD on a VM that's been encrypted using Azure Disk Encryption with Azure AD is not yet a supported scenario.
           
       - question: |
           How do I add or remove a key encryption key (KEK) if I didn't originally use one?
@@ -92,8 +92,9 @@ sections:
       - question: |
           What size should I use for my key encryption key (KEK)?
         answer: |
-          Windows Server 2022 included a newer version of BitLocker and, as described in the prerequisites page, we recommend starting with a 3072 or 4096 bit key size. For earlier version of Windows, you may use 2048 bit as well.
-          
+          Windows Server 2022 includes a newer version of BitLocker and currently does not work with RSA 2048 bit Key Encryption Keys. Until this is resolved, use an RSA 3072 or RSA 4096 bit keys, as described in [Supported operating systems](disk-encryption-overview.md#supported-operating-systems). 
+
+          For earlier version of Windows, you may instead use RSA 2048 Key Encryption Keys.
 
       - question: |
           Does Azure Disk Encryption allow you to bring your own key (BYOK)?
@@ -158,9 +159,9 @@ sections:
           To determine Windows OS version, run the 'winver' tool in your virtual machine.
           
       - question: |
-          Can I backup and restore an encrypted VM? 
+          Can I back up and restore an encrypted VM? 
         answer: |
-          Azure Backup provides a mechanism to backup and restore encrypted VM's within the same subscription and region.  For instructions, please see [Back up and restore encrypted virtual machines with Azure Backup](../../backup/backup-azure-vms-encryption.md).  Restoring an encrypted VM to a different region is not currently supported.  
+          Azure Backup provides a mechanism to back up and restore encrypted VM's within the same subscription and region.  For instructions, please see [Back up and restore encrypted virtual machines with Azure Backup](../../backup/backup-azure-vms-encryption.md).  Restoring an encrypted VM to a different region is not currently supported.  
           
       - question: |
           Where can I go to ask questions or provide feedback?
@@ -175,4 +176,4 @@ additionalContent: |
           
   - [Azure Disk Encryption Overview](disk-encryption-overview.md)
   - [Apply disk encryption in Azure Security Center](../../security-center/asset-inventory.md)
-  - [Azure data encryption at rest](../../security/fundamentals/encryption-atrest.md)
+  - [Azure data encryption at rest](../../security/fundamentals/encryption-atrest.md)
diff --git a/articles/virtual-machines/windows/disk-encryption-overview.md b/articles/virtual-machines/windows/disk-encryption-overview.md
@@ -46,6 +46,8 @@ Azure Disk Encryption is not available on [Basic, A-series VMs](https://azure.mi
 - Windows 10 Enterprise multi-session.  
  
 > [!NOTE]
+> Windows Server 2022 does not support an RSA 2048 bit key. For more details, see [FAQ: What size should I use for my key encryption key?](disk-encryption-faq.yml#what-size-should-i-use-for-my-key-encryption-key--kek--)
+>
 > Windows Server 2008 R2 requires the .NET Framework 4.5 to be installed for encryption; install it from Windows Update with the optional update Microsoft .NET Framework 4.5.2 for Windows Server 2008 R2 x64-based systems ([KB2901983](https://www.catalog.update.microsoft.com/Search.aspx?q=KB2901983)).  
 >  
 > Windows Server 2012 R2 Core and Windows Server 2016 Core requires the bdehdcfg component to be installed on the VM for encryption.

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ Azure Disk Encryption is not available on [Basic, A-series VMs](https://azure.mi`
`46`	`46`	`- Windows 10 Enterprise multi-session.`
`47`	`47`
`48`	`48`	`> [!NOTE]`
	`49`	`+> Windows Server 2022 does not support an RSA 2048 bit key. For more details, see [FAQ: What size should I use for my key encryption key?](disk-encryption-faq.yml#what-size-should-i-use-for-my-key-encryption-key--kek--)`
	`50`	`+>`
`49`	`51`	`> Windows Server 2008 R2 requires the .NET Framework 4.5 to be installed for encryption; install it from Windows Update with the optional update Microsoft .NET Framework 4.5.2 for Windows Server 2008 R2 x64-based systems ([KB2901983](https://www.catalog.update.microsoft.com/Search.aspx?q=KB2901983)).`
`50`	`52`	`>`
`51`	`53`	`> Windows Server 2012 R2 Core and Windows Server 2016 Core requires the bdehdcfg component to be installed on the VM for encryption.`