Review pass.

roygara · roygara · commit a71639185882 · 2023-01-19T12:23:38.000-08:00
diff --git a/articles/virtual-machines/disks-enable-customer-managed-keys-portal.md b/articles/virtual-machines/disks-enable-customer-managed-keys-portal.md
@@ -14,13 +14,13 @@ ms.subservice: disks
 
 **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: 
 
-Azure Disk Storage allows you to manage your own keys when using server-side encryption (SSE) for managed disks, if you choose. For conceptual information on SSE with customer managed keys, as well as other managed disk encryption types, see the **Customer-managed keys** section of our disk encryption article: [Customer-managed keys](disk-encryption.md#customer-managed-keys)
+Azure Disk Storage allows you to manage your own keys when using server-side encryption (SSE) for managed disks, if you choose. For conceptual information on SSE with customer managed keys, and other managed disk encryption types, see the **Customer-managed keys** section of our disk encryption article: [Customer-managed keys](disk-encryption.md#customer-managed-keys)
 
 ## Restrictions
 
 For now, customer-managed keys have the following restrictions:
 
-- If this feature is enabled for your disk, you cannot disable it.
+- If this feature is enabled for your disk, you can't disable it.
     If you need to work around this, you must copy all the data to an entirely different managed disk that isn't using customer-managed keys:
 
     - For Linux: [Copy a managed disk](./linux/disks-upload-vhd-to-managed-disk-cli.md#copy-a-managed-disk)
@@ -52,14 +52,14 @@ The VM deployment process is similar to the standard deployment process, the onl
 ## Enable on an existing disk
 
 > [!CAUTION]
-> Enabling disk encryption on any disks attached to a VM will require that you stop the VM.
+> Enabling disk encryption on any disks attached to a VM requires you to stop the VM.
     
 1. Navigate to a VM that is in the same region as one of your disk encryption sets.
 1. Open the VM and select **Stop**.
 
     :::image type="content" source="media/virtual-machines-disk-encryption-portal/server-side-encryption-stop-vm-to-encrypt-disk-fix.png" alt-text="Screenshot of the main overlay for your example VM, with the Stop button highlighted." lightbox="media/virtual-machines-disk-encryption-portal/server-side-encryption-stop-vm-to-encrypt-disk-fix.png":::
 
-1. After the VM has finished stopping, select **Disks** and then select the disk you want to encrypt.
+1. After the VM has finished stopping, select **Disks**, and then select the disk you want to encrypt.
 
     :::image type="content" source="media/virtual-machines-disk-encryption-portal/server-side-encryption-existing-disk-select.png" alt-text="Screenshot of your example VM, with the Disks pane open, the OS disk is highlighted, as an example disk for you to select." lightbox="media/virtual-machines-disk-encryption-portal/server-side-encryption-existing-disk-select.png":::
 
diff --git a/articles/virtual-machines/disks-enable-double-encryption-at-rest-portal.md b/articles/virtual-machines/disks-enable-double-encryption-at-rest-portal.md
@@ -15,7 +15,7 @@ ms.custom: references_regions
 
 **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark:
 
-Azure Disk Storage supports double encryption at rest for managed disks. For conceptual information on double encryption at rest, as well as other managed disk encryption types, see the [Double encryption at rest](disk-encryption.md#double-encryption-at-rest) section of our disk encryption article.
+Azure Disk Storage supports double encryption at rest for managed disks. For conceptual information on double encryption at rest, and other managed disk encryption types, see the [Double encryption at rest](disk-encryption.md#double-encryption-at-rest) section of our disk encryption article.
 
 ## Getting started
 
@@ -61,7 +61,6 @@ Azure Disk Storage supports double encryption at rest for managed disks. For con
 
 You have now enabled double encryption at rest on your managed disk.
 
-
 ## Next steps
 
 - [Azure PowerShell - Enable customer-managed keys with server-side encryption - managed disks](./windows/disks-enable-customer-managed-keys-powershell.md)
diff --git a/articles/virtual-machines/disks-enable-host-based-encryption-portal.md b/articles/virtual-machines/disks-enable-host-based-encryption-portal.md
@@ -25,11 +25,11 @@ Temporary disks and ephemeral OS disks are encrypted at rest with platform-manag
 
 ### Supported VM sizes
 
-Legacy VM Sizes are not supported. You can find the list of supported VM sizes by either using the [Azure PowerShell module](windows/disks-enable-host-based-encryption-powershell.md#finding-supported-vm-sizes) or [Azure CLI](linux/disks-enable-host-based-encryption-cli.md#finding-supported-vm-sizes).
+Legacy VM Sizes aren't supported. You can find the list of supported VM sizes by either using the [Azure PowerShell module](windows/disks-enable-host-based-encryption-powershell.md#finding-supported-vm-sizes) or [Azure CLI](linux/disks-enable-host-based-encryption-cli.md#finding-supported-vm-sizes).
 
 ## Prerequisites
 
-You must enable the feature for your subscription before you use the EncryptionAtHost property for your VM/VMSS. Use the following steps to enable the feature for your subscription:
+You must enable the feature for your subscription before you can use encryption at host for either your VM or virtual machine scale set. Use the following steps to enable the feature for your subscription:
 
 1. **Azure portal**: Select the Cloud Shell icon on the [Azure portal](https://portal.azure.com):
 
@@ -51,7 +51,7 @@ You must enable the feature for your subscription before you use the EncryptionA
 
     ---
 
-1.	Confirm that the registration state is **Registered** (takes a few minutes) using the command below before trying out the feature.
+1.	Confirm that the registration state is **Registered** (registration may take a few minutes) using the following command before trying out the feature.
 
     ### [Azure PowerShell](#tab/azure-powershell)
 
@@ -69,9 +69,9 @@ You must enable the feature for your subscription before you use the EncryptionA
 ## Deploy a VM with platform-managed keys
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Search for **Virtual Machines** and select **+ Add** to create a VM.
-1. Create a new virtual machine, select an appropriate region and a supported VM size.
-1. Fill in the other values on the **Basic** pane as you like, then proceed to the **Disks** pane.
+1. Search for **Virtual Machines** and select **+ Create** to create a VM.
+1. Select an appropriate region and a supported VM size.
+1. Fill in the other values on the **Basic** pane as you like, and then proceed to the **Disks** pane.
 
     :::image type="content" source="media/virtual-machines-disks-encryption-at-host-portal/disks-encryption-at-host-basic-blade.png" alt-text="Screenshot of the virtual machine creation basics pane, region and VM size are highlighted." lightbox="media/virtual-machines-disks-encryption-at-host-portal/disks-encryption-at-host-basic-blade.png":::
 
@@ -82,7 +82,7 @@ You must enable the feature for your subscription before you use the EncryptionA
 
 1. For the rest of the VM deployment process, make selections that fit your environment, and complete the deployment.
 
-You have now deployed a VM with encryption at host enabled, and the cache for the disk is encrypted using platform-managed keys.
+You've now deployed a VM with encryption at host enabled, and the cache for the disk is encrypted using platform-managed keys.
 
 ## Deploy a VM with customer-managed keys
 
@@ -113,7 +113,7 @@ Now that you've setup an Azure Key Vault and disk encryption set, you can deploy
 
 1. For the rest of the VM deployment process, make selections that fit your environment, and complete the deployment.
 
-You have now deployed a VM with encryption at host enabled using customer-managed keys.
+You've now deployed a VM with encryption at host enabled using customer-managed keys.
 
 ## Disable host based encryption
 
diff --git a/articles/virtual-machines/media/virtual-machines-disks-double-encryption-at-rest-portal/double-encryption-enable-disk-blade.png b/articles/virtual-machines/media/virtual-machines-disks-double-encryption-at-rest-portal/double-encryption-enable-disk-blade.png
diff --git a/includes/virtual-machines-disks-encryption-at-host-restrictions.md b/includes/virtual-machines-disks-encryption-at-host-restrictions.md
@@ -5,13 +5,13 @@
  author: roygara
  ms.service: virtual-machines
  ms.topic: include
- ms.date: 09/10/2022
+ ms.date: 01/19/2023
  ms.author: rogarana
  ms.custom: include file
 ---
 - Doesn't support ultra disks or premium SSD v2 managed disks.
-- Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs/virtual machine scale sets.
+- Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your virtual machines (VMs) or virtual machine scale sets.
 - Azure Disk Encryption cannot be enabled on disks that have encryption at host enabled.
-- The encryption can be enabled on existing virtual machine scale set. However, only new VMs created after enabling the encryption are automatically encrypted.
+- The encryption can be enabled on existing virtual machine scale sets. However, only new VMs created after enabling the encryption are automatically encrypted.
 - Existing VMs must be deallocated and reallocated in order to be encrypted.
 - Supports ephemeral OS disks but only with platform-managed keys.
diff --git a/includes/virtual-machines-disks-encryption-create-key-vault-portal.md b/includes/virtual-machines-disks-encryption-create-key-vault-portal.md
@@ -9,7 +9,7 @@
  ms.author: rogarana
  ms.custom: include file
 ---
-Setting up customer-managed keys for your disks will require you to create resources in a particular order, if you're doing it for the first time. First, you will need to create and set up an Azure Key Vault.
+Setting up customer-managed keys for your disks requires you to create resources in a particular order, if you're doing it for the first time. First, you'll need to create and set up an Azure Key Vault.
 
 ## Set up your Azure Key Vault
 
@@ -53,7 +53,7 @@ Now that you've created the Azure key vault and a key, you must add an Azure RBA
 ## Set up your disk encryption set
 
 1. Search for **Disk Encryption Sets** and select it.
-1. On the **Disk Encryption Sets** pane select **+Create**.
+1. On the **Disk Encryption Sets** pane, select **+Create**.
 1. Select your resource group, name your encryption set, and select the same region as your key vault.
 1. For **Encryption type**, select **Encryption at-rest with a customer-managed key**.
 
@@ -67,7 +67,7 @@ Now that you've created the Azure key vault and a key, you must add an Azure RBA
 
     :::image type="content" source="media/virtual-machines-disk-encryption-portal/server-side-encryption-disk-set-blade.png" alt-text="Screenshot of the disk encryption creation pane. Showing the subscription, resource group, disk encryption set name, region, and key vault + key selector." lightbox="media/virtual-machines-disk-encryption-portal/server-side-encryption-disk-set-blade.png":::
 
-1. Navigate to the disk encryption set once it is deployed, and select the displayed alert.
+1. Navigate to the disk encryption set once it's deployed, and select the displayed alert.
 
     :::image type="content" source="media/virtual-machines-disk-encryption-portal/disk-encryption-set-perm-alert.png" alt-text="Screenshot of user selecting the 'To associate a disk, image, or snapshot with this disk encryption set, you must grant permissions to the key vault' alert." lightbox="media/virtual-machines-disk-encryption-portal/disk-encryption-set-perm-alert.png":::
 
