Merge pull request #192037 from msmbaldwin/ade-misc

Ade misc

Author: PRMerger18

includes/disk-encryption-key-vault.md

@@ -34,7 +34,7 @@ New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"
 Create a key vault using the [az keyvault create](/cli/azure/keyvault#az_keyvault_create) Azure CLI command, the [New-AzKeyvault](/powershell/module/az.keyvault/new-azkeyvault) Azure PowerShell command, the [Azure portal](https://portal.azure.com), or a [Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.keyvault/key-vault-create).
 
 >[!WARNING]
-> Your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted. 
+> To ensure that encryption secrets don't cross regional boundaries, you must create and use a key vault that is in the **same region and tenant** as the VMs to be encrypted.
 
 Each Key Vault must have a unique name. Replace \<your-unique-keyvault-name\> with the name of your key vault in the following examples.
 
@@ -53,14 +53,14 @@ When creating a key vault using Azure PowerShell, add the "-EnabledForDiskEncryp
 ```azurepowershell-interactive
 New-AzKeyvault -name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location "eastus" -EnabledForDiskEncryption
 ```
+
 ### Resource Manager template
 
 You can also create a key vault by using the [Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.keyvault/key-vault-create).
 
 1. On the Azure quickstart template, click **Deploy to Azure**.
 2. Select the subscription, resource group, resource group location, Key Vault name, Object ID, legal terms, and agreement, and then click **Purchase**. 
 
-
 ##  Set key vault advanced access policies
 
 The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. 
@@ -81,7 +81,7 @@ Use [az keyvault update](/cli/azure/keyvault#az_keyvault_update) to enable disk
 
      ```azurecli-interactive
      az keyvault update --name "<your-unique-keyvault-name>" --resource-group "MyResourceGroup" --enabled-for-deployment "true"
-     ``` 
+     ```
 
  - **Enable Key Vault for template deployment, if needed:** Allow Resource Manager to retrieve secrets from the vault.
      ```azurecli-interactive  
@@ -93,7 +93,7 @@ Use [az keyvault update](/cli/azure/keyvault#az_keyvault_update) to enable disk
 
   - **Enable Key Vault for disk encryption:** EnabledForDiskEncryption is required for Azure Disk encryption.
       
-     ```azurepowershell-interactive 
+     ```azurepowershell-interactive
      Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup" -EnabledForDiskEncryption
      ```
 
@@ -105,19 +105,24 @@ Use [az keyvault update](/cli/azure/keyvault#az_keyvault_update) to enable disk
 
   - **Enable Key Vault for template deployment, if needed:** Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.
 
-     ```azurepowershell-interactive             
+     ```azurepowershell-interactive
      Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "MyResourceGroup" -EnabledForTemplateDeployment
      ```
 
 ### Azure portal
 
 1. Select your key vault and go to **Access Policies**.
 2. Under "Enable Access to", select the box labeled **Azure Disk Encryption for volume encryption**.
-3. Select **Azure Virtual Machines for deployment** and/or **Azure Resource Manager for template deployment**, if needed. 
+3. Select **Azure Virtual Machines for deployment** and/or **Azure Resource Manager for template deployment**, if needed.
 4. Click **Save**.
 
     ![Azure key vault advanced access policies](../articles/virtual-machines/media/disk-encryption/keyvault-portal-fig4.png)
 
+## Azure Disk Encryption and auto-rotation
+
+Although Azure Key Vault now has [key auto-rotation in public preview](../articles/key-vault/keys/how-to-configure-key-rotation.md), it is not currently compatible with Azure Disk Encryption. Specifically, Azure Disk Encryption will continue to use the original encryption key, even after it has been auto-rotated.
+
+Rotating an encryption key will not break Azure Disk Encryption, but disabling the "old" encryption key (in other words, the key Azure Disk Encryption is still using) will.
 
 ## Set up a key encryption key (KEK)