Updates

Author: msmbaldwin

articles/virtual-machines/windows/disk-encryption-cli-quickstart.md

@@ -7,7 +7,7 @@ ms.service: virtual-machines
 ms.subservice: disks
 ms.collection: windows
 ms.topic: quickstart
-ms.date: 05/17/2019
+ms.date: 01/04/2023
 ms.custom: devx-track-azurecli, mode-api
 ---
 
@@ -61,9 +61,9 @@ It takes a few minutes to create the VM and supporting resources. The following
 
 ## Create a Key Vault configured for encryption keys
 
-Azure disk encryption stores its encryption key in an Azure Key Vault. Create a Key Vault with [az keyvault create](/cli/azure/keyvault#az-keyvault-create). To enable the Key Vault to store encryption keys, use the --enabled-for-disk-encryption parameter.
+Azure disk encryption stores its encryption key in an Azure Key Vault. Create a Key Vault with [az keyvault create](/cli/azure/keyvault#az-keyvault-create). To enable the Key Vault to store encryption keys, use the--enabled-for-disk-encryption parameter.
 > [!Important]
-> Each Key Vault must have a unique name. The following example creates a Key Vault named *myKV*, but you must name yours something different.
+> Each Key Vault must have a unique name. This example creates a Key Vault named *myKV*, but you must name yours something different.
 
 ```azurecli-interactive
 az keyvault create --name "myKV" --resource-group "myResourceGroup" --location eastus --enabled-for-disk-encryption
@@ -99,7 +99,7 @@ az group delete --name myResourceGroup
 
 ## Next steps
 
-In this quickstart, you created a virtual machine, created a Key Vault that was enable for encryption keys, and encrypted the VM.  Advance to the next article to learn more about Azure Disk Encryption prerequisites for IaaS VMs.
+In this quickstart, you created a virtual machine, created a Key Vault that was enabled for encryption keys, and encrypted the VM.  Advance to the next article to learn more about Azure Disk Encryption prerequisites for IaaS VMs.
 
 > [!div class="nextstepaction"]
 > [Azure Disk Encryption overview](disk-encryption-overview.md)

articles/virtual-machines/windows/disk-encryption-faq.yml

@@ -71,8 +71,8 @@ sections:
           Azure Disk Encryption provides end-to-end encryption for the OS disk, data disks, and the temporary disk with a customer-managed key.
           
           - If your requirements include encrypting all of the above and end-to-end encryption, use Azure Disk Encryption. 
-          - If your requirements include encrypting only data at rest with customer-managed key, then use [Server-side encryption with customer-managed keys](../disk-encryption.md). You cannot encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer managed keys.
-          - If you are using a scenario called out in [unsupported scenarios for Windows](disk-encryption-windows.md#unsupported-scenarios), consider [Server-side encryption with customer-managed keys](../disk-encryption.md). 
+          - If your requirements include encrypting only data at rest with customer-managed key, then use [Server-side encryption with customer-managed keys](../disk-encryption.md). You can't encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer managed keys.
+          - If you're using a scenario called out in [unsupported scenarios for Windows](disk-encryption-windows.md#unsupported-scenarios), consider [Server-side encryption with customer-managed keys](../disk-encryption.md). 
           - If your organization's policy allows you to encrypt content at rest with an Azure-managed key, then no action is needed - the content is encrypted by default. For managed disks, the content inside storage is encrypted by default with Server-side encryption with platform-managed key. The key is managed by the Azure Storage service. 
           
       - question: |
@@ -81,7 +81,7 @@ sections:
           To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption. 
           
           >[!WARNING]
-          > - If you have previously used [Azure Disk Encryption with Azure AD app](disk-encryption-windows-aad.md) by specifying Azure AD credentials to encrypt this VM, you must continue to use this option. Using Azure Disk Encryption without AAD on a VM that's been encrypted using Azure Disk Encryption with Azure AD is not yet a supported scenario.
+          > - If you've previously used [Azure Disk Encryption with Azure AD app](disk-encryption-windows-aad.md) by specifying Azure AD credentials to encrypt this VM, you must continue to use this option. Using Azure Disk Encryption without Azure AD on a VM that's been encrypted using Azure Disk Encryption with Azure AD isn't yet a supported scenario.
           
       - question: |
           How do I add or remove a key encryption key (KEK) if I didn't originally use one?
@@ -91,7 +91,7 @@ sections:
       - question: |
           What size should I use for my key encryption key (KEK)?
         answer: |
-          Windows Server 2022 and Windows 11 include a newer version of BitLocker and currently does not work with RSA 2048 bit Key Encryption Keys. Until this is resolved, use an RSA 3072 or RSA 4096 bit keys, as described in [Supported operating systems](disk-encryption-overview.md#supported-operating-systems). 
+          Windows Server 2022 and Windows 11 include a newer version of BitLocker and currently doesn't work with RSA 2048 bit Key Encryption Keys. Until resolved, use an RSA 3072 or RSA 4096-bit keys, as described in [Supported operating systems](disk-encryption-overview.md#supported-operating-systems). 
 
           For earlier version of Windows, you may instead use RSA 2048 Key Encryption Keys.
 
@@ -140,7 +140,7 @@ sections:
           The "Bek volume" is a local data volume that securely stores the encryption keys for Encrypted Azure VMs.
           
           > [!NOTE]
-          > Do not delete or edit any contents in this disk. Do not unmount the disk since the encryption key presence is needed for any encryption operations on the IaaS VM.
+          > Don't delete or edit any contents in this disk. Don't unmount the disk since the encryption key presence is needed for any encryption operations on the IaaS VM.
           
       - question: |
           What encryption method does Azure Disk Encryption use?
@@ -160,7 +160,7 @@ sections:
       - question: |
           Can I back up and restore an encrypted VM? 
         answer: |
-          Azure Backup provides a mechanism to back up and restore encrypted VM's within the same subscription and region.  For instructions, please see [Back up and restore encrypted virtual machines with Azure Backup](../../backup/backup-azure-vms-encryption.md).  Restoring an encrypted VM to a different region is not currently supported.  
+          Azure Backup provides a mechanism to back up and restore encrypted VMs within the same subscription and region.  For instructions, see [Back up and restore encrypted virtual machines with Azure Backup](../../backup/backup-azure-vms-encryption.md).  Restoring an encrypted VM to a different region isn't currently supported.  
           
       - question: |
           Where can I go to ask questions or provide feedback?

articles/virtual-machines/windows/disk-encryption-key-vault-aad.md

@@ -6,7 +6,7 @@ ms.service: virtual-machines
 ms.subservice: disks
 ms.topic: how-to
 ms.author: mbaldwin
-ms.date: 12/06/2021
+ms.date: 01/04/2023
 
 ms.custom: seodec18, devx-track-azurecli, devx-track-azurepowershell
 
@@ -44,7 +44,7 @@ Azure Disk Encryption is integrated with [Azure Key Vault](../../key-vault/index
 
 ### Create a key vault with PowerShell
 
-You can create a key vault with Azure PowerShell using the [New-AzKeyVault](/powershell/module/az.keyvault/New-azKeyVault) cmdlet. For additional cmdlets for Key Vault, see [Az.KeyVault](/powershell/module/az.keyvault/).
+You can create a key vault with Azure PowerShell using the [New-AzKeyVault](/powershell/module/az.keyvault/New-azKeyVault) cmdlet. For another cmdlets for Key Vault, see [Az.KeyVault](/powershell/module/az.keyvault/).
 
 1. Create a new resource group, if needed, with [New-AzResourceGroup](/powershell/module/az.Resources/New-azResourceGroup).  To list data center locations, use [Get-AzLocation](/powershell/module/az.resources/get-azlocation).
 
@@ -84,8 +84,8 @@ You can manage your key vault with Azure CLI using the [az keyvault](/cli/azure/
 
 You can create a key vault by using the [Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.keyvault/key-vault-create).
 
-1. On the Azure quickstart template, click **Deploy to Azure**.
-2. Select the subscription, resource group, resource group location, Key Vault name, Object ID,  legal terms, and agreement, and then click **Purchase**.
+1. On the Azure quickstart template, select **Deploy to Azure**.
+2. Select the subscription, resource group, resource group location, Key Vault name, Object ID,  legal terms, and agreement, and then select **Purchase**.
 
 
 ## Set up an Azure AD app and service principal
@@ -104,7 +104,7 @@ To execute the following commands, get and use the [Azure AD PowerShell module](
      $servicePrincipal = New-AzADServicePrincipal –ApplicationId $azureAdApplication.ApplicationId -Role Contributor
      ```
 
-3. The $azureAdApplication.ApplicationId is the Azure AD ClientID and the $aadClientSecret is the client secret that you will use later to enable Azure Disk Encryption. Safeguard the Azure AD client secret appropriately. Running `$azureAdApplication.ApplicationId` will show you the ApplicationID.
+3. The $azureAdApplication.ApplicationId is the Azure AD ClientID and the $aadClientSecret is the client secret that you'll use later to enable Azure Disk Encryption. Safeguard the Azure AD client secret appropriately. Running `$azureAdApplication.ApplicationId` will show you the ApplicationID.
 
 
 ### Set up an Azure AD app and service principal with Azure CLI
@@ -119,7 +119,7 @@ You can manage your service principals with Azure CLI using the [az ad sp](/cli/
 3.  The appId returned is the Azure AD ClientID used in other commands. It's also the SPN you'll use for az keyvault set-policy. The password is the client secret that you should use later to enable Azure Disk Encryption. Safeguard the Azure AD client secret appropriately.
 
 ### Set up an Azure AD app and service principal through the Azure portal
-Use the steps from the [Use portal to create an Azure Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md) article to create an Azure AD application. Each step listed below will take you directly to the article section to complete.
+Use the steps from the [Use portal to create an Azure Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md) article to create an Azure AD application. Each of these steps will take you directly to the article section to complete.
 
 1. [Verify required permissions](../../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app)
 2. [Create an Azure Active Directory application](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)
@@ -159,11 +159,11 @@ az keyvault set-policy --name "MySecureVault" --spn "<spn created with CLI/the A
 ### Set the key vault access policy for the Azure AD app with the portal
 
 1. Open the resource group with your key vault.
-2. Select your key vault, go to **Access Policies**, then click **Add new**.
+2. Select your key vault, go to **Access Policies**, then select **Add new**.
 3. Under **Select principal**, search for the Azure AD application you created and select it.
 4. For **Key permissions**, check **Wrap Key** under **Cryptographic Operations**.
 5. For **Secret permissions**, check **Set** under **Secret Management Operations**.
-6. Click **OK** to save the access policy.
+6. Select **OK** to save the access policy.
 
 ![Azure Key Vault cryptographic operations - Wrap Key](../media/disk-encryption/keyvault-portal-fig3.png)
 
@@ -218,15 +218,15 @@ Use [az keyvault update](/cli/azure/keyvault#az-keyvault-update) to enable disk
 1. Select your keyvault, go to **Access Policies**, and **Click to show advanced access policies**.
 2. Select the box labeled **Enable access to Azure Disk Encryption for volume encryption**.
 3. Select **Enable access to Azure Virtual Machines for deployment** and/or **Enable Access to Azure Resource Manager for template deployment**, if needed.
-4. Click **Save**.
+4. Select **Save**.
 
 ![Azure key vault advanced access policies](../media/disk-encryption/keyvault-portal-fig4.png)
 
 
 ## Set up a key encryption key (optional)
 If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. Use the [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey) cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises key management HSM. For more information, see [Key Vault Documentation](../../key-vault/keys/hsm-protected-keys.md). When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.
 
-* When generating keys, use an RSA key type. Azure Disk Encryption does not yet support using Elliptic Curve keys.
+* When generating keys, use an RSA key type. Azure Disk Encryption doesn't yet support using Elliptic Curve keys.
 
 * Your key vault secret and KEK URLs must be versioned. Azure enforces this restriction of versioning. For valid secret and KEK URLs, see the following examples:
 

articles/virtual-machines/windows/disk-encryption-key-vault.md

@@ -7,7 +7,7 @@ ms.collection: windows
 ms.topic: how-to
 author: msmbaldwin
 ms.author: mbaldwin
-ms.date: 08/06/2019
+ms.date: 01/04/2023
 ms.custom: seodec18, devx-track-azurecli
 ---
 

articles/virtual-machines/windows/disk-encryption-overview-aad.md

@@ -6,7 +6,7 @@ ms.service: virtual-machines
 ms.subservice: disks
 ms.topic: conceptual
 ms.author: mbaldwin
-ms.date: 03/15/2019
+ms.date: 01/04/2023
 
 ms.custom: seodec18
 
@@ -26,7 +26,7 @@ This article supplements [Azure Disk Encryption for Windows VMs](disk-encryption
   - To write the encryption keys to your key vault, the IaaS VM must be able to connect to the key vault endpoint.
   - The IaaS VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files.
   -  If your security policy limits access from Azure VMs to the Internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. For more information, see [Azure Key Vault behind a firewall](../../key-vault/general/access-behind-firewall.md).
-  - The VM to be encrypted must be configured to use TLS 1.2 as the default protocol. If TLS 1.0 has been explicitly disabled and the .NET version has not been updated to 4.6 or higher, the following registry change will enable ADE to select the more recent TLS version:
+  - The VM to be encrypted must be configured to use TLS 1.2 as the default protocol. If TLS 1.0 has been explicitly disabled and the .NET version hasn't been updated to 4.6 or higher, the following registry change will enable ADE to select the more recent TLS version:
 
 ```console
 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

articles/virtual-machines/windows/disk-encryption-overview.md

@@ -7,7 +7,7 @@ ms.subservice: disks
 ms.collection: windows
 ms.topic: conceptual
 ms.author: mbaldwin
-ms.date: 10/05/2019
+ms.date: 01/04/2023
 
 ms.custom: seodec18
 
@@ -47,7 +47,7 @@ Azure Disk Encryption is not available on [Basic, A-series VMs](https://azure.mi
 - Windows 10 Enterprise multi-session and later.  
 
 > [!NOTE]
-> Windows Server 2022 and Windows 11 do not support an RSA 2048 bit key. For more details, see [FAQ: What size should I use for my key encryption key?](disk-encryption-faq.yml#what-size-should-i-use-for-my-key-encryption-key--kek--)
+> Windows Server 2022 and Windows 11 do not support an RSA 2048 bit key. For more information, see [FAQ: What size should I use for my key encryption key?](disk-encryption-faq.yml#what-size-should-i-use-for-my-key-encryption-key--kek--)
 >
 > Windows Server 2008 R2 requires the .NET Framework 4.5 to be installed for encryption; install it from Windows Update with the optional update Microsoft .NET Framework 4.5.2 for Windows Server 2008 R2 x64-based systems ([KB2901983](https://www.catalog.update.microsoft.com/Search.aspx?q=KB2901983)).  
 >  
@@ -66,7 +66,7 @@ Azure Disk Encryption uses the BitLocker external key protector for Windows VMs.
 
 BitLocker policy on domain joined virtual machines with custom group policy must include the following setting: [Configure user storage of BitLocker recovery information -> Allow 256-bit recovery key](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings). Azure Disk Encryption will fail when custom group policy settings for BitLocker are incompatible. On machines that didn't have the correct policy setting, apply the new policy, and force the new policy to update (gpupdate.exe /force).  Restarting may be required.
 
-Microsoft Bitlocker Administration and Monitoring (MBAM) group policy features are not compatible with Azure Disk Encryption.
+Microsoft BitLocker Administration and Monitoring (MBAM) group policy features aren't compatible with Azure Disk Encryption.
 
 > [!WARNING]
 > Azure Disk Encryption **does not store recovery keys**. If the [Interactive logon: Machine account lockout threshold](/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold) security setting is enabled, machines can only be recovered by providing a recovery key via the serial console. Instructions for ensuring the appropriate recovery policies are enabled can be found in the [Bitlocker recovery guide plan](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan).