Update.s

roygara · roygara · commit 7790718212e5 · 2023-02-21T15:14:43.000-08:00
diff --git a/articles/virtual-machines/disks-enable-customer-managed-keys-portal.md b/articles/virtual-machines/disks-enable-customer-managed-keys-portal.md
@@ -3,7 +3,7 @@ title: Azure portal - Enable customer-managed keys with SSE - managed disks
 description: Enable customer-managed keys on your managed disks through the Azure portal.
 author: roygara
 
-ms.date: 01/19/2023
+ms.date: 02/22/2023
 ms.topic: how-to
 ms.author: rogarana
 ms.service: storage
@@ -20,7 +20,7 @@ Azure Disk Storage allows you to manage your own keys when using server-side enc
 
 For now, customer-managed keys have the following restrictions:
 
-- If this feature is enabled for your disk, you can't disable it.
+- If this feature is enabled for a disk with incremental snapshots, it can't be disabled on that disk or its snapshots.
     If you need to work around this, you must copy all the data to an entirely different managed disk that isn't using customer-managed keys:
 
     - For Linux: [Copy a managed disk](./linux/disks-upload-vhd-to-managed-disk-cli.md#copy-a-managed-disk)
diff --git a/articles/virtual-machines/linux/disks-enable-customer-managed-keys-cli.md b/articles/virtual-machines/linux/disks-enable-customer-managed-keys-cli.md
@@ -2,7 +2,7 @@
 title: Azure CLI - Enable customer-managed keys with SSE - managed disks
 description: Enable customer-managed keys on your managed disks with the Azure CLI.
 author: roygara
-ms.date: 03/15/2022
+ms.date: 02/22/2023
 ms.topic: how-to
 ms.author: rogarana
 ms.service: storage
@@ -20,7 +20,7 @@ Azure Disk Storage allows you to manage your own keys when using server-side enc
 
 For now, customer-managed keys have the following restrictions:
 
-- If this feature is enabled for your disk, you cannot disable it.
+- If this feature is enabled for a disk with incremental snapshots, it can't be disabled on that disk or its snapshots.
     If you need to work around this, you must [copy all the data](disks-upload-vhd-to-managed-disk-cli.md#copy-a-managed-disk) to an entirely different managed disk that isn't using customer-managed keys.
 [!INCLUDE [virtual-machines-managed-disks-customer-managed-keys-restrictions](../../../includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md)]
 
diff --git a/articles/virtual-machines/windows/disks-enable-customer-managed-keys-powershell.md b/articles/virtual-machines/windows/disks-enable-customer-managed-keys-powershell.md
@@ -2,7 +2,7 @@
 title: Azure PowerShell - Enable customer-managed keys with SSE - managed disks
 description: Enable server-side encryption using customer-managed keys on your managed disks with Azure PowerShell.
 author: roygara
-ms.date: 11/02/2021
+ms.date: 02/22/2023
 ms.topic: how-to
 ms.author: rogarana
 ms.service: storage
@@ -20,7 +20,7 @@ Azure Disk Storage allows you to manage your own keys when using server-side enc
 
 For now, customer-managed keys have the following restrictions:
 
-- If this feature is enabled for your disk, you cannot disable it.
+- If this feature is enabled for a disk with incremental snapshots, it can't be disabled on that disk or its snapshots.
     If you need to work around this, you must [copy all the data](disks-upload-vhd-to-managed-disk-powershell.md#copy-a-managed-disk) to an entirely different managed disk that isn't using customer-managed keys.
 [!INCLUDE [virtual-machines-managed-disks-customer-managed-keys-restrictions](../../../includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md)]
 
diff --git a/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md b/includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md
@@ -11,8 +11,8 @@
 ---
 - Only [software and HSM RSA keys](../articles/key-vault/keys/about-keys.md) of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
     - [HSM](../articles/key-vault/keys/hsm-protected-keys.md) keys require the **premium** tier of Azure Key vaults.
-- For Ultra Disks and Premium SSD v2 only: Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
-- Disks using incremental snapshots and incremental snapshots themselves can't be copied to different encryption sets.
+- Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys. Your disks and their images must be in the same subscription, the keys used to encrypt your disks can be in a different subscription.
+- For Ultra Disks only: Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
 - Most resources related to your customer-managed keys (disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
     - Azure Key Vaults may be used from a different subscription but must be in the same region as your disk encryption set. As a preview, you can use Azure Key Vaults from [different Azure Active Directory tenants](../articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md).
 - Disks encrypted with customer-managed keys can only move to another resource group if the VM they are attached to is deallocated.
