MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/azure-government/azure-secure-isolation-guidance.md
Lines changed: 2 additions & 2 deletions b/‎articles/azure-government/azure-secure-isolation-guidance.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/backup/azure-backup-glossary.md
Lines changed: 1 addition & 1 deletion b/‎articles/backup/azure-backup-glossary.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/backup/backup-azure-vms-encryption.md
Lines changed: 2 additions & 2 deletions b/‎articles/backup/backup-azure-vms-encryption.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/backup/encryption-at-rest-with-cmk.md
Lines changed: 1 addition & 1 deletion b/‎articles/backup/encryption-at-rest-with-cmk.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/batch/disk-encryption.md
Lines changed: 107 additions & 107 deletions b/‎articles/batch/disk-encryption.md
Lines changed: 107 additions & 107 deletions
diff --git a/‎articles/confidential-computing/confidential-vm-faq-amd.yml
Lines changed: 1 addition & 1 deletion b/‎articles/confidential-computing/confidential-vm-faq-amd.yml
Lines changed: 1 addition & 1 deletion
@@ -30,6 +30,11 @@
     "redirect_url":  "/previous-versions/azure/germany/germany-get-started-connect-with-ps",
     "redirect_document_id":  false
 },
+{
+    "source_path":  "articles/security/fundamentals/azure-disk-encryption-vms-vmss.md",
+    "redirect_url":  "/azure/virtual-machines/disk-encryption-overview",
+    "redirect_document_id":  false
+},
 {
     "source_path":  "articles/germany/germany-get-started-connect-with-vs.md",
     "redirect_url":  "/previous-versions/azure/germany/germany-get-started-connect-with-vs",
 
@@ -745,7 +745,7 @@ Storage accounts are encrypted regardless of their performance tier (standard or
 Because data encryption is performed by the Storage service, server-side encryption with CMK enables you to use any operating system types and images for your VMs. For your Windows and Linux IaaS VMs, Azure also provides Azure Disk encryption that enables you to encrypt managed disks with CMK within the Guest VM, as described in the next section. Combining Azure Storage service encryption and Disk encryption effectively enables [double encryption of data at rest](../virtual-machines/disks-enable-double-encryption-at-rest-portal.md).
 
 #### Azure Disk encryption
-Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Moreover, you may optionally use [Azure Disk encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to encrypt Azure [Windows](../virtual-machines/windows/disk-encryption-overview.md) and [Linux](../virtual-machines/linux/disk-encryption-overview.md) IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of your data stored in Azure. This encryption includes [managed disks](../virtual-machines/managed-disks-overview.md), as described later in this section. Azure disk encryption uses the industry standard [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview) feature of Windows and the [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) feature of Linux to provide OS-based volume encryption that is integrated with Azure Key Vault.
+Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Moreover, you may optionally use [Azure Disk encryption](../virtual-machines/disk-encryption-overview.md) to encrypt Azure [Windows](../virtual-machines/windows/disk-encryption-overview.md) and [Linux](../virtual-machines/linux/disk-encryption-overview.md) IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of your data stored in Azure. This encryption includes [managed disks](../virtual-machines/managed-disks-overview.md), as described later in this section. Azure disk encryption uses the industry standard [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview) feature of Windows and the [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) feature of Linux to provide OS-based volume encryption that is integrated with Azure Key Vault.
 
 Drive encryption through BitLocker and DM-Crypt is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker and DM-Crypt provide the most protection when used with a Trusted Platform Module (TPM) version 1.2 or higher. The TPM is a microcontroller designed to secure hardware through integrated cryptographic keys – it's commonly pre-installed on newer computers. BitLocker and DM-Crypt can use this technology to protect the keys used to encrypt disk volumes and provide integrity to computer boot process.
 
@@ -774,7 +774,7 @@ For [Windows VMs](../virtual-machines/windows/disk-encryption-faq.yml), Azure Di
 Customer-managed keys (CMK) enable you to have [full control](../virtual-machines/disk-encryption.md#full-control-of-your-keys) over your encryption keys. You can grant access to managed disks in your Azure Key Vault so that your keys can be used for encrypting and decrypting the DEK. You can also disable your keys or revoke access to managed disks at any time. Finally, you have full audit control over key usage with Azure Key Vault monitoring to ensure that only managed disks or other authorized resources are accessing your encryption keys.
 
 ##### *Encryption at host*
-Encryption at host ensures that data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Disks with encryption at host enabled aren't encrypted with Azure Storage encryption; instead, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage. For more information, see [Encryption at host - End-to-end encryption for your VM data](../virtual-machines/disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data). As mentioned previously, [Azure Disk encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) for virtual machines and virtual machine scale sets isn't supported by Managed HSM. However, encryption at host with CMK is supported by Managed HSM.
+Encryption at host ensures that data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Disks with encryption at host enabled aren't encrypted with Azure Storage encryption; instead, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage. For more information, see [Encryption at host - End-to-end encryption for your VM data](../virtual-machines/disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data). As mentioned previously, [Azure Disk encryption](../virtual-machines/disk-encryption-overview.md) for virtual machines and virtual machine scale sets isn't supported by Managed HSM. However, encryption at host with CMK is supported by Managed HSM.
 
 You're [always in control of your customer data](https://www.microsoft.com/trust-center/privacy/data-management) in Azure. You can access, extract, and delete your customer data stored in Azure at will. When you terminate your Azure subscription, Microsoft takes the necessary steps to ensure that you continue to own your customer data. A common concern upon data deletion or subscription termination is whether another customer or Azure administrator can access your deleted data. The following sections explain how data deletion, retention, and destruction work in Azure.
 
 
@@ -75,7 +75,7 @@ Refer to [Azure Resource Manager documentation](../azure-resource-manager/manage
 
 ## Azure Disk Encryption (ADE)
 
-Refer to [Azure Disk Encryption documentation](../security/fundamentals/azure-disk-encryption-vms-vmss.md).
+Refer to [Azure Disk Encryption documentation](../virtual-machines/disk-encryption-overview.md).
 
 ## Backend storage / Cloud storage / Backup storage
 
 
@@ -36,8 +36,8 @@ Azure Backup can back up and restore Azure VMs using ADE with and without the Az
 **Unmanaged** | Yes | Yes
 **Managed**  | Yes | Yes
 
-- Learn more about [ADE](../security/fundamentals/azure-disk-encryption-vms-vmss.md), [Key Vault](../key-vault/general/overview.md), and [KEKs](../virtual-machine-scale-sets/disk-encryption-key-vault.md#set-up-a-key-encryption-key-kek).
-- Read the [FAQ](../security/fundamentals/azure-disk-encryption-vms-vmss.md) for Azure VM disk encryption.
+- Learn more about [ADE](../virtual-machines/disk-encryption-overview.md), [Key Vault](../key-vault/general/overview.md), and [KEKs](../virtual-machine-scale-sets/disk-encryption-key-vault.md#set-up-a-key-encryption-key-kek).
+- Read the [FAQ](../virtual-machines/disk-encryption-overview.md) for Azure VM disk encryption.
 
 ### Limitations
 
 
@@ -30,7 +30,7 @@ This article discusses about how to:
 
 - This feature currently **doesn't support backup using MARS agent**, and you may not be able to use a CMK-encrypted vault for the same. The MARS agent uses a user passphrase-based encryption. This feature also doesn't support backup of classic VMs.
 
-- This feature isn't related to [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md), which uses guest-based encryption of a VM's disk using BitLocker (for Windows) and DM-Crypt (for Linux).
+- This feature isn't related to [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md), which uses guest-based encryption of a VM's disk using BitLocker (for Windows) and DM-Crypt (for Linux).
 
 - The Recovery Services vault can be encrypted only with keys stored in Azure Key Vault, located in the **same region**. Also, keys must be **RSA keys** only and should be in **enabled** state.
 
 
@@ -1,107 +1,107 @@
----
-title: Create a pool with disk encryption enabled
-description: Learn how to use disk encryption configuration to encrypt nodes with a platform-managed key.
-ms.topic: how-to
-ms.date: 04/16/2021
-ms.devlang: csharp
-ms.custom: devx-track-azurecli
----
-
-# Create a pool with disk encryption enabled
-
-When you create an Azure Batch pool using [Virtual Machine Configuration](nodes-and-pools.md#virtual-machine-configuration), you can encrypt compute nodes in the pool with a platform-managed key by specifying the disk encryption configuration.
-
-This article explains how to create a Batch pool with disk encryption enabled.
-
-## Why use a pool with disk encryption configuration?
-
-With a Batch pool, you can access and store data on the OS and temporary disks of the compute node. Encrypting the server-side disk with a platform-managed key will safeguard this data with low overhead and convenience.
-
-Batch will apply one of these disk encryption technologies on compute nodes, based on pool configuration and regional supportability.
-
-- [Managed disk encryption at rest with platform-managed keys](../virtual-machines/disk-encryption.md#platform-managed-keys)
-- [Encryption at host using a platform-managed Key](../virtual-machines/disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data)
-- [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md)
-
-You won't be able to specify which encryption method will be applied to the nodes in your pool. Instead, you provide the target disks you want to encrypt on their nodes, and Batch can choose the appropriate encryption method, ensuring the specified disks are encrypted on the compute node.
-
-> [!IMPORTANT]
-> If you are creating your pool with a Linux [custom image](batch-sig-images.md), you can only enable disk encryption only if your pool is using an [Encryption At Host Supported VM size](../virtual-machines/disk-encryption.md#supported-vm-sizes).
-> Encryption At Host is not currently supported on User Subscription Pools until the feature becomes [publicly available in Azure](../virtual-machines/disks-enable-host-based-encryption-portal.md#prerequisites).
-
-## Azure portal
-
-When creating a Batch pool in the the Azure portal, select either **TemporaryDisk** or **OsAndTemporaryDisk** under **Disk Encryption Configuration**.
-
-:::image type="content" source="media/disk-encryption/portal-view.png" alt-text="Screenshot of the Disk Encryption Configuration option in the Azure portal.":::
-
-After the pool is created, you can see the disk encryption configuration targets in the pool's **Properties** section.
-
-:::image type="content" source="media/disk-encryption/configuration-target.png" alt-text="Screenshot showing the disk encryption configuration targets in the Azure portal.":::
-
-## Examples
-
-The following examples show how to encrypt the OS and temporary disks on a Batch pool using the Batch .NET SDK, the Batch REST API, and the Azure CLI.
-
-### Batch .NET SDK
-
-```csharp
-pool.VirtualMachineConfiguration.DiskEncryptionConfiguration = new DiskEncryptionConfiguration(
-    targets: new List<DiskEncryptionTarget> { DiskEncryptionTarget.OsDisk, DiskEncryptionTarget.TemporaryDisk }
-    );
-```
-
-### Batch REST API
-
-REST API URL:
-
-```
-POST {batchURL}/pools?api-version=2020-03-01.11.0
-client-request-id: 00000000-0000-0000-0000-000000000000
-```
-
-Request body:
-
-```
-"pool": {
-    "id": "pool2",
-    "vmSize": "standard_a1",
-    "virtualMachineConfiguration": {
-        "imageReference": {
-            "publisher": "Canonical",
-            "offer": "UbuntuServer",
-            "sku": "18.04-LTS"
-        },
-        "diskEncryptionConfiguration": {
-            "targets": [
-                "OsDisk",
-                "TemporaryDisk"
-            ]
-        }
-        "nodeAgentSKUId": "batch.node.ubuntu 18.04"
-    },
-    "resizeTimeout": "PT15M",
-    "targetDedicatedNodes": 5,
-    "targetLowPriorityNodes": 0,
-    "taskSlotsPerNode": 3,
-    "enableAutoScale": false,
-    "enableInterNodeCommunication": false
-}
-```
-
-### Azure CLI
-
-```azurecli-interactive
-az batch pool create \
-    --id diskencryptionPool \
-    --vm-size Standard_DS1_V2 \
-    --target-dedicated-nodes 2 \
-    --image canonical:ubuntuserver:18.04-LTS \
-    --node-agent-sku-id "batch.node.ubuntu 18.04" \
-    --disk-encryption-targets OsDisk TemporaryDisk
-```
-
-## Next steps
-
-- Learn more about [server-side encryption of Azure Disk Storage](../virtual-machines/disk-encryption.md).
-- For an in-depth overview of Batch, see [Batch service workflow and resources](batch-service-workflow-features.md).
+---
+title: Create a pool with disk encryption enabled
+description: Learn how to use disk encryption configuration to encrypt nodes with a platform-managed key.
+ms.topic: how-to
+ms.date: 04/16/2021
+ms.devlang: csharp
+ms.custom: devx-track-azurecli
+---
+
+# Create a pool with disk encryption enabled
+
+When you create an Azure Batch pool using [Virtual Machine Configuration](nodes-and-pools.md#virtual-machine-configuration), you can encrypt compute nodes in the pool with a platform-managed key by specifying the disk encryption configuration.
+
+This article explains how to create a Batch pool with disk encryption enabled.
+
+## Why use a pool with disk encryption configuration?
+
+With a Batch pool, you can access and store data on the OS and temporary disks of the compute node. Encrypting the server-side disk with a platform-managed key will safeguard this data with low overhead and convenience.
+
+Batch will apply one of these disk encryption technologies on compute nodes, based on pool configuration and regional supportability.
+
+- [Managed disk encryption at rest with platform-managed keys](../virtual-machines/disk-encryption.md#platform-managed-keys)
+- [Encryption at host using a platform-managed Key](../virtual-machines/disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data)
+- [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md)
+
+You won't be able to specify which encryption method will be applied to the nodes in your pool. Instead, you provide the target disks you want to encrypt on their nodes, and Batch can choose the appropriate encryption method, ensuring the specified disks are encrypted on the compute node.
+
+> [!IMPORTANT]
+> If you are creating your pool with a Linux [custom image](batch-sig-images.md), you can only enable disk encryption only if your pool is using an [Encryption At Host Supported VM size](../virtual-machines/disk-encryption.md#supported-vm-sizes).
+> Encryption At Host is not currently supported on User Subscription Pools until the feature becomes [publicly available in Azure](../virtual-machines/disks-enable-host-based-encryption-portal.md#prerequisites).
+
+## Azure portal
+
+When creating a Batch pool in the the Azure portal, select either **TemporaryDisk** or **OsAndTemporaryDisk** under **Disk Encryption Configuration**.
+
+:::image type="content" source="media/disk-encryption/portal-view.png" alt-text="Screenshot of the Disk Encryption Configuration option in the Azure portal.":::
+
+After the pool is created, you can see the disk encryption configuration targets in the pool's **Properties** section.
+
+:::image type="content" source="media/disk-encryption/configuration-target.png" alt-text="Screenshot showing the disk encryption configuration targets in the Azure portal.":::
+
+## Examples
+
+The following examples show how to encrypt the OS and temporary disks on a Batch pool using the Batch .NET SDK, the Batch REST API, and the Azure CLI.
+
+### Batch .NET SDK
+
+```csharp
+pool.VirtualMachineConfiguration.DiskEncryptionConfiguration = new DiskEncryptionConfiguration(
+    targets: new List<DiskEncryptionTarget> { DiskEncryptionTarget.OsDisk, DiskEncryptionTarget.TemporaryDisk }
+    );
+```
+
+### Batch REST API
+
+REST API URL:
+
+```
+POST {batchURL}/pools?api-version=2020-03-01.11.0
+client-request-id: 00000000-0000-0000-0000-000000000000
+```
+
+Request body:
+
+```
+"pool": {
+    "id": "pool2",
+    "vmSize": "standard_a1",
+    "virtualMachineConfiguration": {
+        "imageReference": {
+            "publisher": "Canonical",
+            "offer": "UbuntuServer",
+            "sku": "18.04-LTS"
+        },
+        "diskEncryptionConfiguration": {
+            "targets": [
+                "OsDisk",
+                "TemporaryDisk"
+            ]
+        }
+        "nodeAgentSKUId": "batch.node.ubuntu 18.04"
+    },
+    "resizeTimeout": "PT15M",
+    "targetDedicatedNodes": 5,
+    "targetLowPriorityNodes": 0,
+    "taskSlotsPerNode": 3,
+    "enableAutoScale": false,
+    "enableInterNodeCommunication": false
+}
+```
+
+### Azure CLI
+
+```azurecli-interactive
+az batch pool create \
+    --id diskencryptionPool \
+    --vm-size Standard_DS1_V2 \
+    --target-dedicated-nodes 2 \
+    --image canonical:ubuntuserver:18.04-LTS \
+    --node-agent-sku-id "batch.node.ubuntu 18.04" \
+    --disk-encryption-targets OsDisk TemporaryDisk
+```
+
+## Next steps
+
+- Learn more about [server-side encryption of Azure Disk Storage](../virtual-machines/disk-encryption.md).
+- For an in-depth overview of Batch, see [Batch service workflow and resources](batch-service-workflow-features.md).
@@ -95,7 +95,7 @@ sections:
           Do I have to use the full-disk encryption scheme? Can I use a standard scheme instead?
         answer: |
           The optional full-disk encryption scheme is Azure's most secure and meets the [Confidential Computing principles](https://azure.microsoft.com/blog/azure-confidential-computing/). 
-          However, you can also use other [disk encryption schemes](../security/fundamentals/azure-disk-encryption-vms-vmss.md) along with or instead of full-disk encryption.
+          However, you can also use other [disk encryption schemes](../virtual-machines/disk-encryption-overview.md) along with or instead of full-disk encryption.
           If you use multiple disk encryption schemes, double encryption might negatively affect performance.
 
       - question: |