Adding clarity to EAH docs around platform-managed keys. Acrolinx fixes.

Author: roygara

articles/virtual-machines/disks-enable-host-based-encryption-portal.md

@@ -4,7 +4,7 @@ description: Use encryption at host to enable end-to-end encryption on your Azur
 author: roygara
 ms.service: storage
 ms.topic: how-to
-ms.date: 01/19/2023
+ms.date: 03/28/2023
 ms.author: rogarana
 ms.subservice: disks
 ms.custom: references_regions
@@ -94,7 +94,7 @@ Once the feature is enabled, you need to set up an Azure Key Vault and a disk en
 
 ### Deploy a VM
 
-Now that you've setup an Azure Key Vault and disk encryption set, you can deploy a VM and it uses encryption at host.
+Now that you have setup an Azure Key Vault and disk encryption set, you can deploy a VM and it uses encryption at host.
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Search for **Virtual Machines** and select **+ Add** to create a VM.

articles/virtual-machines/linux/disks-enable-host-based-encryption-cli.md

@@ -4,7 +4,7 @@ description: Use encryption at host to enable end-to-end encryption on your Azur
 author: roygara
 ms.service: storage
 ms.topic: how-to
-ms.date: 03/20/2023
+ms.date: 03/28/2023
 ms.author: rogarana
 ms.subservice: disks
 ms.custom: references_regions, devx-track-azurecli
@@ -14,7 +14,7 @@ ms.custom: references_regions, devx-track-azurecli
 
 **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets 
 
-When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. For conceptual information on encryption at host, as well as other managed disk encryption types, see [Encryption at host - End-to-end encryption for your VM data](../disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data).
+When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. For conceptual information on encryption at host, and other managed disk encryption types, see [Encryption at host - End-to-end encryption for your VM data](../disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data).
 
 ## Restrictions
 
@@ -23,7 +23,7 @@ When you enable encryption at host, data stored on the VM host is encrypted at r
 ### Supported VM sizes
 
 The complete list of supported VM sizes can be pulled programmatically. To learn how to retrieve them programmatically, see the [Finding supported VM sizes](#finding-supported-vm-sizes) section.
-Upgrading the VM size will result in validation to check if the new VM size supports the EncryptionAtHost feature.
+Upgrading the VM size results in validation to check if the new VM size supports the EncryptionAtHost feature.
 
 ## Prerequisites
 
@@ -44,11 +44,16 @@ az feature show --namespace Microsoft.Compute --name EncryptionAtHost
 
 ### Create resources
 
-Once the feature is enabled, you'll need to set up a DiskEncryptionSet and either an [Azure Key Vault](../../key-vault/general/overview.md) or an [Azure Key Vault Managed HSM](../../key-vault/managed-hsm/overview.md).
+> [!NOTE]
+> If you're using platform-managed keys, this section is optional. You can skip to the [Example scripts](#example-scripts) section.
+>
+> The [Create resources](#create-resources) section only applies to customer-managed keys.
+
+Once the feature is enabled, you need to set up a DiskEncryptionSet and either an [Azure Key Vault](../../key-vault/general/overview.md) or an [Azure Key Vault Managed HSM](../../key-vault/managed-hsm/overview.md).
 
 [!INCLUDE [virtual-machines-disks-encryption-create-key-vault-cli](../../../includes/virtual-machines-disks-encryption-create-key-vault-cli.md)]
 
-## Examples
+## Example scripts
 
 ### Create a VM with encryption at host enabled with customer-managed keys. 
 
@@ -133,9 +138,9 @@ az vm update -n $vmName \
 --set securityProfile.encryptionAtHost=false
 ```
 
-### Create a virtual machine scale set with encryption at host enabled with customer-managed keys. 
+### Create a Virtual Machine Scale Set with encryption at host enabled with customer-managed keys. 
 
-Create a virtual machine scale set with managed disks using the resource URI of the DiskEncryptionSet created earlier to encrypt cache of OS and data disks with customer-managed keys. The temp disks are encrypted with platform-managed keys. 
+Create a Virtual Machine Scale Set with managed disks using the resource URI of the DiskEncryptionSet created earlier to encrypt cache of OS and data disks with customer-managed keys. The temp disks are encrypted with platform-managed keys. 
 
 ```azurecli
 rgName=yourRGName
@@ -159,9 +164,9 @@ az vmss create -g $rgName \
 --data-disk-encryption-sets $diskEncryptionSetId $diskEncryptionSetId
 ```
 
-### Create a virtual machine scale set with encryption at host enabled with platform-managed keys. 
+### Create a Virtual Machine Scale Set with encryption at host enabled with platform-managed keys. 
 
-Create a virtual machine scale set with encryption at host enabled to encrypt cache of OS/data disks and temp disks with platform-managed keys. 
+Create a Virtual Machine Scale Set with encryption at host enabled to encrypt cache of OS/data disks and temp disks with platform-managed keys. 
 
 ```azurecli
 rgName=yourRGName
@@ -180,7 +185,7 @@ az vmss create -g $rgName \
 --data-disk-sizes-gb 64 128 \
 ```
 
-### Update a virtual machine scale set to enable encryption at host. 
+### Update a Virtual Machine Scale Set to enable encryption at host. 
 
 ```azurecli
 rgName=yourRGName
@@ -191,7 +196,7 @@ az vmss update -n $vmssName \
 --set virtualMachineProfile.securityProfile.encryptionAtHost=true
 ```
 
-### Check the status of encryption at host for a virtual machine scale set
+### Check the status of encryption at host for a Virtual Machine Scale Set
 
 ```azurecli
 rgName=yourRGName
@@ -202,9 +207,9 @@ az vmss show -n $vmssName \
 --query [virtualMachineProfile.securityProfile.encryptionAtHost] -o tsv
 ```
 
-### Update a virtual machine scale set to disable encryption at host. 
+### Update a Virtual Machine Scale Set to disable encryption at host. 
 
-You can disable encryption at host on your virtual machine scale set but, this will only affect VMs created after you disable encryption at host. For existing VMs, you must deallocate the VM, [disable encryption at host on that individual VM](#update-a-vm-to-disable-encryption-at-host), then reallocate the VM.
+You can disable encryption at host on your Virtual Machine Scale Set but, this will only affect VMs created after you disable encryption at host. For existing VMs, you must deallocate the VM, [disable encryption at host on that individual VM](#update-a-vm-to-disable-encryption-at-host), then reallocate the VM.
 
 ```azurecli
 rgName=yourRGName
@@ -217,7 +222,7 @@ az vmss update -n $vmssName \
 
 ## Finding supported VM sizes
 
-Legacy VM Sizes are not supported. You can find the list of supported VM sizes by either using resource SKU APIs or the Azure PowerShell module. You can't find the supported sizes using the CLI.
+Legacy VM Sizes aren't supported. You can find the list of supported VM sizes by either using resource SKU APIs or the Azure PowerShell module. You can't find the supported sizes using the CLI.
 
 When calling the [Resource Skus API](/rest/api/compute/resourceskus/list), check that the `EncryptionAtHostSupported` capability is set to **True**.
 

articles/virtual-machines/windows/disks-enable-host-based-encryption-powershell.md

@@ -4,7 +4,7 @@ description: How to enable end-to-end encryption for your Azure VMs using encryp
 author: roygara
 ms.service: storage
 ms.topic: how-to
-ms.date: 11/17/2021
+ms.date: 03/28/2023
 ms.author: rogarana
 ms.subservice: disks
 ms.custom: references_regions, devx-track-azurepowershell, ignite-fall-2021
@@ -14,7 +14,7 @@ ms.custom: references_regions, devx-track-azurepowershell, ignite-fall-2021
 
 **Applies to:** :heavy_check_mark: Windows VMs 
 
-When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. For conceptual information on encryption at host, as well as other managed disk encryption types, see [Encryption at host - End-to-end encryption for your VM data](../disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data).
+When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. For conceptual information on encryption at host, and other managed disk encryption types, see [Encryption at host - End-to-end encryption for your VM data](../disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data).
 
 ## Restrictions
 
@@ -24,19 +24,19 @@ When you enable encryption at host, data stored on the VM host is encrypted at r
 ### Supported VM sizes
 
 The complete list of supported VM sizes can be pulled programmatically. To learn how to retrieve them programmatically, refer to the [Finding supported VM sizes](#finding-supported-vm-sizes) section.
-Upgrading the VM size will result in validation to check if the new VM size supports the EncryptionAtHost feature.
+Upgrading the VM size results in validation to check if the new VM size supports the EncryptionAtHost feature.
 
 ## Prerequisites
 
-You must enable the feature for your subscription before you use the EncryptionAtHost property for your VM/VMSS. Please follow the steps below to enable the feature for your subscription:
+You must enable the feature for your subscription before you use the EncryptionAtHost property for your VM/VMSS. Use the following steps to enable the feature for your subscription:
 
 1.	Execute the following command to register the feature for your subscription
 
     ```powershell
      Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute" 
     ```
 
-2.	Please check that the registration state is Registered (takes a few minutes) using the command below before trying out the feature.
+2.	Check that the registration state is Registered (takes a few minutes) using the following command before trying out the feature.
 
     ```powershell
      Get-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"  
@@ -45,17 +45,22 @@ You must enable the feature for your subscription before you use the EncryptionA
 
 ### Create an Azure Key Vault and DiskEncryptionSet
 
-Once the feature is enabled, you'll need to set up an Azure Key Vault and a DiskEncryptionSet, if you haven't already.
+> [!NOTE]
+> If you're using platform-managed keys, this section is optional. You can skip to the [Example scripts](#example-scripts) section.
+> 
+> The [Create an Azure Key Vault and DiskEncryptionSet](#create-an-azure-key-vault-and-diskencryptionset) section only applies to customer-managed keys.
+
+Once the feature is enabled, you need to set up an Azure Key Vault and a DiskEncryptionSet, if you haven't already.
 
 [!INCLUDE [virtual-machines-disks-encryption-create-key-vault-powershell](../../../includes/virtual-machines-disks-encryption-create-key-vault-powershell.md)]
 
-## Enable encryption at host for disks attached to VM and virtual machine scale sets
+## Enable encryption at host for disks attached to VM and Virtual Machine Scale Sets
 
-You can enable encryption at host by setting a new property EncryptionAtHost under securityProfile of VMs or virtual machine scale sets using the API version **2020-06-01** and above.
+You can enable encryption at host by setting a new property EncryptionAtHost under securityProfile of VMs or Virtual Machine Scale Sets using the API version **2020-06-01** and above.
 
 `"securityProfile": { "encryptionAtHost": "true" }`
 
-## Examples
+## Example scripts
 
 ### Create a VM with encryption at host enabled with customer-managed keys. 
 
@@ -182,9 +187,9 @@ Stop-AzVM -ResourceGroupName $ResourceGroupName -Name $VMName -Force
 Update-AzVM -VM $VM -ResourceGroupName $ResourceGroupName -EncryptionAtHost $false
 ```
 
-### Create a virtual machine scale set with encryption at host enabled with customer-managed keys. 
+### Create a Virtual Machine Scale Set with encryption at host enabled with customer-managed keys. 
 
-Create a virtual machine scale set with managed disks using the resource URI of the DiskEncryptionSet created earlier to encrypt cache of OS and data disks with customer-managed keys. The temp disks are encrypted with platform-managed keys. 
+Create a Virtual Machine Scale Set with managed disks using the resource URI of the DiskEncryptionSet created earlier to encrypt cache of OS and data disks with customer-managed keys. The temp disks are encrypted with platform-managed keys. 
 
 ```powershell
 $VMLocalAdminUser = "yourLocalAdminUser"
@@ -226,9 +231,9 @@ $VMSS = Set-AzVmssOsProfile $VMSS -ComputerNamePrefix $ComputerNamePrefix -Admin
 $VMSS = Add-AzVmssDataDisk -VirtualMachineScaleSet $VMSS -CreateOption Empty -Lun 1 -DiskSizeGB 128 -StorageAccountType Premium_LRS -DiskEncryptionSetId $diskEncryptionSet.Id
 ```
 
-### Create a virtual machine scale set with encryption at host enabled with platform-managed keys. 
+### Create a Virtual Machine Scale Set with encryption at host enabled with platform-managed keys. 
 
-Create a virtual machine scale set with encryption at host enabled to encrypt cache of OS/data disks and temp disks with platform-managed keys. 
+Create a Virtual Machine Scale Set with encryption at host enabled to encrypt cache of OS/data disks and temp disks with platform-managed keys. 
 
 ```powershell
 $VMLocalAdminUser = "yourLocalAdminUser"
@@ -267,7 +272,7 @@ $Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdmi
 New-AzVmss -VirtualMachineScaleSet $VMSS -ResourceGroupName $ResourceGroupName -VMScaleSetName $VMScaleSetName
 ```
 
-### Update a virtual machine scale set to enable encryption at host. 
+### Update a Virtual Machine Scale Set to enable encryption at host. 
 
 ```powershell
 $ResourceGroupName = "yourResourceGroupName"
@@ -278,7 +283,7 @@ $VMSS = Get-AzVmss -ResourceGroupName $ResourceGroupName -Name $VMScaleSetName
 Update-AzVmss -VirtualMachineScaleSet $VMSS -Name $VMScaleSetName -ResourceGroupName $ResourceGroupName -EncryptionAtHost $true
 ```
 
-### Check the status of encryption at host for a virtual machine scale set
+### Check the status of encryption at host for a Virtual Machine Scale Set
 
 ```powershell
 $ResourceGroupName = "yourResourceGroupName"
@@ -289,9 +294,9 @@ $VMSS = Get-AzVmss -ResourceGroupName $ResourceGroupName -Name $VMScaleSetName
 $VMSS.VirtualMachineProfile.SecurityProfile.EncryptionAtHost
 ```
 
-### Update a virtual machine scale set to disable encryption at host. 
+### Update a Virtual Machine Scale Set to disable encryption at host. 
 
-You can disable encryption at host on your virtual machine scale set but, this will only affect VMs created after you disable encryption at host. For existing VMs, you must deallocate the VM, [disable encryption at host on that individual VM](#disable-encryption-at-host), then reallocate the VM.
+You can disable encryption at host on your Virtual Machine Scale Set but, this will only affect VMs created after you disable encryption at host. For existing VMs, you must deallocate the VM, [disable encryption at host on that individual VM](#disable-encryption-at-host), then reallocate the VM.
 
 ```powershell
 $ResourceGroupName = "yourResourceGroupName"
@@ -304,7 +309,7 @@ Update-AzVmss -VirtualMachineScaleSet $VMSS -Name $VMScaleSetName -ResourceGroup
 
 ## Finding supported VM sizes
 
-Legacy VM Sizes are not supported. You can find the list of supported VM sizes by either:
+Legacy VM Sizes aren't supported. You can find the list of supported VM sizes by either:
 
 Calling the [Resource Skus API](/rest/api/compute/resourceskus/list) and checking that the `EncryptionAtHostSupported` capability is set to **True**.