Updating all scripts.

Author: roygara

articles/virtual-machines/disk-encryption.md

@@ -41,8 +41,6 @@ By default, managed disks use platform-managed encryption keys. All managed disk
 
 For now, customer-managed keys have the following restrictions:
 
-- For Ultra Disks and Premium SSD v2 only: If this feature is enabled for your disk, you cannot disable it.
-    If you need to work around this, you must copy all the data using either the [Azure PowerShell module](windows/disks-upload-vhd-to-managed-disk-powershell.md#copy-a-managed-disk) or the [Azure CLI](linux/disks-upload-vhd-to-managed-disk-cli.md#copy-a-managed-disk), to an entirely different managed disk that isn't using customer-managed keys.
 [!INCLUDE [virtual-machines-managed-disks-customer-managed-keys-restrictions](../../includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md)]
 
 #### Supported regions

articles/virtual-machines/image-version-encryption.md

@@ -38,10 +38,6 @@ When you're using customer-managed keys for encrypting images in an Azure Comput
 
 - Encryption key sets are regional resources, so each region requires a different encryption key set.
 
-- For Ultra Disks and Premium SSD v2 only: You can't copy or share images that use customer-managed keys. 
-
-- For Ultra Disks and Premium SSD v2 only: After you've used your own keys to encrypt a disk or image, you can't go back to using platform-managed keys for encrypting those disks or images.
-
 - VM image version source doesn't currently support customer-managed key encryption.
 
 ## PowerShell

articles/virtual-machines/scripts/copy-managed-disks-to-same-or-different-subscription.md

@@ -9,14 +9,14 @@ ms.subservice: disks
 ms.devlang: azurecli
 ms.topic: sample
 ms.workload: infrastructure
-ms.date: 02/23/2022
+ms.date: 02/22/2023
 ms.author: ramankum
 ms.custom: mvc
 ---
 
 # Copy managed disks to same or different subscription with CLI
 
-This script copies a managed disk to same or different subscription but in the same region. The copy works only when the subscriptions are part of the same Azure AD tenant.
+This article contains two scripts. The first script copies a managed disk that's using platform-managed keys to same or different subscription but in the same region. The second script copies a managed disk that's using customer-managed keys to the same or a different subscription in the same region. Either copy only works when the subscriptions are part of the same Azure AD tenant.
 
 [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
 
@@ -26,10 +26,57 @@ This script copies a managed disk to same or different subscription but in the s
 
 [!INCLUDE [cli-launch-cloud-shell-sign-in.md](../../../includes/cli-launch-cloud-shell-sign-in.md)]
 
-### Run the script
+### Disks with platform-managed keys
 
 :::code language="azurecli" source="~/azure_cli_scripts/virtual-machine/copy-managed-disks-to-same-or-different-subscription/copy-managed-disks-to-same-or-different-subscription.sh" id="FullScript":::
 
+### Disks with customer-managed keys
+
+```azurecli
+#Provide the subscription Id of the subscription where managed disk exists
+sourceSubscriptionId="<subscriptionId>"
+
+#Provide the name of your resource group where managed disk exists
+sourceResourceGroupName=mySourceResourceGroupName
+
+#Provide the name of the managed disk
+managedDiskName=myDiskName
+
+#Provide the name of the disk encryption set
+diskEncryptionSetName=myName
+
+#Provide the disk encryption set ID
+diskEncrpytonSetId=myID
+
+#Provide the disk encryption set resource group
+diskEncryptionResourceGroup=myGroup
+
+#Set the context to the subscription Id where managed disk exists
+az account set --subscription $sourceSubscriptionId
+
+#Get the managed disk Id 
+managedDiskId=$(az disk show --name $managedDiskName --resource-group $sourceResourceGroupName --query [id] -o tsv)
+
+#If managedDiskId is blank then it means that managed disk does not exist.
+echo 'source managed disk Id is: ' $managedDiskId
+
+#Get the disk encryption set ID
+diskEncryptionSetId=$(az disk-encryption-set show --name $diskEncryptionSetName --resource-group $diskEncryptionResourceGroup)
+
+#Provide the subscription Id of the subscription where managed disk will be copied to
+targetSubscriptionId=6492b1f7-f219-446b-b509-314e17e1efb0
+
+#Name of the resource group where managed disk will be copied to
+targetResourceGroupName=mytargetResourceGroupName
+
+#Set the context to the subscription Id where managed disk will be copied to
+az account set --subscription $targetSubscriptionId
+
+#Copy managed disk to different subscription using managed disk Id and disk encryption set ID
+#Add --location parameter to change the location
+az disk create -g $targetResourceGroupName -n $managedDiskName --source $managedDiskId --disk-encryption-set $diskEncrpytonSetId
+```
+
 ## Clean up resources
 
 Run the following command to remove the resource group, VM, and all related resources.

articles/virtual-machines/scripts/copy-snapshot-to-same-or-different-subscription.md

@@ -8,14 +8,14 @@ ms.service: storage
 ms.subservice: disks
 ms.topic: sample
 ms.workload: infrastructure
-ms.date: 02/23/2022
+ms.date: 02/22/2023
 ms.author: ramankum
 ms.custom: mvc
 ---
 
 # Copy snapshot of a managed disk to same or different subscription with CLI
 
-This script copies a snapshot of a managed disk to same or different subscription. Use this script for the following scenarios:
+This article contains two scripts. The first script copies a snapshot of a managed disk that was using platform-managed keys to the same or a different subscription. The second script copies a snapshot of a managed disk that was using customer-managed keys to the same or a different subscription. These scripts can be used for the following scenarios:
 
 - Migrate a snapshot in Premium storage (Premium_LRS) to Standard storage (Standard_LRS or Standard_ZRS) to reduce your cost.
 - Migrate a snapshot from locally redundant storage (Premium_LRS, Standard_LRS) to zone redundant storage (Standard_ZRS) to benefit from the higher reliability of ZRS storage.
@@ -32,10 +32,58 @@ This script copies a snapshot of a managed disk to same or different subscriptio
 
 [!INCLUDE [cli-launch-cloud-shell-sign-in.md](../../../includes/cli-launch-cloud-shell-sign-in.md)]
 
-### Run the script
+### Disks with platform-managed keys
 
 :::code language="azurecli" source="~/azure_cli_scripts/virtual-machine/copy-snapshot-to-same-or-different-subscription/copy-snapshot-to-same-or-different-subscription.sh" id="FullScript":::
 
+### Disks with customer-managed keys
+
+```azurecli
+#Provide the subscription Id of the subscription where snapshot exists
+sourceSubscriptionId="<subscriptionId>"
+
+#Provide the name of your resource group where snapshot exists
+sourceResourceGroupName=mySourceResourceGroupName
+
+#Provide the disk encryption set ID
+diskEncrpytonSetId=myID
+
+#Provide the disk encryption set resource group
+diskEncryptionResourceGroup=myGroup
+
+#Provide the name of the snapshot
+snapshotName=mySnapshotName
+
+#Set the context to the subscription Id where snapshot exists
+az account set --subscription $sourceSubscriptionId
+
+#Get the snapshot Id 
+snapshotId=$(az snapshot show --name $snapshotName --resource-group $sourceResourceGroupName --query [id] -o tsv)
+
+#If snapshotId is blank then it means that snapshot does not exist.
+echo 'source snapshot Id is: ' $snapshotId
+
+#Get the disk encryption set ID
+diskEncryptionSetId=$(az disk-encryption-set show --name $diskEncryptionSetName --resource-group $diskEncryptionResourceGroup)
+
+#Provide the subscription Id of the subscription where snapshot will be copied to
+#If snapshot is copied to the same subscription then you can skip this step
+targetSubscriptionId=6492b1f7-f219-446b-b509-314e17e1efb0
+
+#Name of the resource group where snapshot will be copied to
+targetResourceGroupName=mytargetResourceGroupName
+
+#Set the context to the subscription Id where snapshot will be copied to
+#If snapshot is copied to the same subscription then you can skip this step
+az account set --subscription $targetSubscriptionId
+
+#Copy snapshot to different subscription using the snapshot Id
+#We recommend you to store your snapshots in Standard storage to reduce cost. Please use Standard_ZRS in regions where zone redundant storage (ZRS) is available, otherwise use Standard_LRS
+#Please check out the availability of ZRS here: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs#support-coverage-and-regional-availability
+#To change the region, use the --location parameter
+az snapshot create -g $targetResourceGroupName -n $snapshotName --source $snapshotId --disk-encryption-set $diskEncryptionSetID --sku Standard_LRS --encryption-type EncryptionAtRestWithCustomerKey
+```
+
 ## Clean up resources
 
 Run the following command to remove the resource group, VM, and all related resources.

articles/virtual-machines/scripts/create-managed-disk-from-snapshot.md

@@ -15,14 +15,14 @@ ms.devlang: azurecli
 ms.topic: sample
 ms.tgt_pltfrm: vm-linux
 ms.workload: infrastructure
-ms.date: 02/23/2022
+ms.date: 02/22/2023
 ms.author: ramankum
 ms.custom: mvc
 ---
 
 # Create a managed disk from a snapshot with CLI (Linux)
 
-This script creates a managed disk from a snapshot. Use it to restore a virtual machine from snapshots of OS and data disks. Create OS and data managed disks from respective snapshots and then create a new virtual machine by attaching managed disks. You can also restore data disks of an existing VM by attaching data disks created from snapshots.
+This article contains two scripts for creating a managed disk from a snapshot. The first script is for a managed disk with platform-managed keys and the second script is for a managed disk with customer-manaegd keys. Use these scripts to restore a virtual machine from snapshots of OS and data disks. Create OS and data managed disks from respective snapshots and then create a new virtual machine by attaching managed disks. You can also restore data disks of an existing VM by attaching data disks created from snapshots.
 
 [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
 
@@ -32,10 +32,52 @@ This script creates a managed disk from a snapshot. Use it to restore a virtual
 
 [!INCLUDE [cli-launch-cloud-shell-sign-in.md](../../../includes/cli-launch-cloud-shell-sign-in.md)]
 
-### Run the script
+### Disks with platform-managed keys
 
 :::code language="azurecli" source="~/azure_cli_scripts/virtual-machine/create-managed-disks-from-snapshot/create-managed-disks-from-snapshot.sh" id="FullScript":::
 
+### Disks with customer-managed keys
+
+```azurecli
+#Provide the subscription Id of the subscription where you want to create Managed Disks
+subscriptionId="<subscriptionId>"
+
+#Provide the name of your resource group
+resourceGroupName=myResourceGroupName
+
+#Provide the name of the snapshot that will be used to create Managed Disks
+snapshotName=mySnapshotName
+
+#Provide the name of the new Managed Disks that will be create
+diskName=myDiskName
+
+#Provide the size of the disks in GB. It should be greater than the VHD file size.
+diskSize=128
+
+#Provide the storage type for Managed Disk. Premium_LRS or Standard_LRS.
+storageType=Premium_LRS
+
+#Provide the disk encryption set ID
+diskEncrpytonSetId=myID
+
+#Provide the disk encryption set resource group
+diskEncryptionResourceGroup=myGroup
+
+#Set the context to the subscription Id where Managed Disk will be created
+az account set --subscription $subscriptionId
+
+#Get the snapshot Id 
+snapshotId=$(az snapshot show --name $snapshotName --resource-group $resourceGroupName --query [id] -o tsv)
+
+#Get the disk encryption set ID
+diskEncryptionSetId=$(az disk-encryption-set show --name $diskEncryptionSetName --resource-group $diskEncryptionResourceGroup)
+
+#Create a new Managed Disks using the snapshot Id
+#Note that managed disk will be created in the same location as the snapshot
+#To change the location, add the --location parameter
+az disk create -g $resourceGroupName -n $diskName --source $snapshotId --disk-encryption-set $diskEncryptionSetID --location eastus2euap
+```
+
 ## Clean up resources
 
 Run the following command to remove the resource group, VM, and all related resources.

includes/virtual-machines-managed-disks-customer-managed-keys-restrictions.md

@@ -5,13 +5,13 @@
  author: roygara
  ms.service: virtual-machines
  ms.topic: include
- ms.date: 10/12/2022
+ ms.date: 02/21/2023
  ms.author: rogarana
  ms.custom: include file
 ---
 - Only [software and HSM RSA keys](../articles/key-vault/keys/about-keys.md) of sizes 2,048-bit, 3,072-bit and 4,096-bit are supported, no other keys or sizes.
     - [HSM](../articles/key-vault/keys/hsm-protected-keys.md) keys require the **premium** tier of Azure Key vaults.
-- For Ultra Disks and Premium SSD v2 only: Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys. Your disks and their images must be in the same subscription, the keys used to encrypt your disks can be in a different subscription.
+- Disks created from custom images that are encrypted using server-side encryption and customer-managed keys must be encrypted using the same customer-managed keys. Your disks and their images must be in the same subscription, the keys used to encrypt your disks can be in a different subscription.
 - For Ultra Disks and Premium SSD v2 only: Snapshots created from disks that are encrypted with server-side encryption and customer-managed keys must be encrypted with the same customer-managed keys.
 - Most resources related to your customer-managed keys (disk encryption sets, VMs, disks, and snapshots) must be in the same subscription and region.
     - Azure Key Vaults may be used from a different subscription but must be in the same region as your disk encryption set. As a preview, you can use Azure Key Vaults from [different Azure Active Directory tenants](../articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md).