Merge pull request #34629 from Pietervanhove/SQLConnector

prmerger-automator[bot] · web-flow · commit 7a4aecda86af · 2025-07-08T15:32:34.000Z
SQL Connector upgrade
diff --git a/docs/relational-databases/security/encryption/sql-server-connector-maintenance-troubleshooting.md b/docs/relational-databases/security/encryption/sql-server-connector-maintenance-troubleshooting.md
@@ -46,6 +46,15 @@ Versions 1.0.0.440 and older have been replaced and are no longer supported in p
 1. Start SQL Server service.
 1. Test encrypted databases are accessible.
 
+If your database is in a `RECOVERY PENDING` state, you need to run an `ALTER` command on the cryptographic provider. Replace *AzureKeyVault_EKM* with the name of your actual cryptographic provider, which you can find in the [sys.cryptographic_providers](../../../relational-databases/system-catalog-views/sys-cryptographic-providers-transact-sql.md) system view.
+
+``` sql
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM DISABLE;  
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll';  
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM ENABLE;
+```
+Restart the SQL Server service after modifying the cryptographic provider.
+
 ### Rollback
 
 1. Stop SQL Server service using **SQL Server Configuration Manager**.
diff --git a/docs/relational-databases/security/encryption/sql-server-connector-registry-modification.md b/docs/relational-databases/security/encryption/sql-server-connector-registry-modification.md
@@ -4,7 +4,7 @@ description: This article describes enabling errors and logging for SQL Server C
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: vanto
-ms.date: 08/23/2021
+ms.date: 07/08/2025
 ms.service: sql
 ms.subservice: security
 ms.topic: how-to
@@ -27,44 +27,58 @@ Use the [Azure Key Vault forum](https://social.msdn.microsoft.com/Forums/AzureKe
 
 ## Upgrade SQL Server Connector to the latest version
 
-To upgrade the SQL Server Connector (Version: 1.0.5.0 with a Date Published: September 2020) to the latest version DLL Crypto provider, follow these steps.
+To upgrade the SQL Server Connector (Version: 1.0.5.0 with a Date Published: January 2025) to the latest version DLL Crypto provider, follow these steps.
 
 ### Upgrade
 
-1. Stop SQL Server service using SQL Server Configuration Manager
-1. Uninstall the old version using **Control Panel\Programs\Programs and Features**
+1. Stop SQL Server service using **SQL Server Configuration Manager**.
+1. Uninstall the old version using **Control Panel** > **Programs** > **Programs and Features**.
     1. Application name: SQL Server Connector for Microsoft Azure Key Vault
-    1. Version: 15.0.300.96 (original 1.0.5.0 version)
-    1. DLL file date: 01/30/2018 3:00 PM
-1. Install (upgrade) new SQL Server Connector for Microsoft Azure Key Vault
-    1. Version: 15.0.2000.440 (or latest version)
-    1. DLL file date: 09/11/2020 ‏‎5:17 AM (or later)
-1. Start SQL Server service
-1. Test encrypted DB(s) is/are accessible
+    1. Version: 15.0.300.96 (or older)
+    1. DLL file date: January 30 2018 (or older)
+1. Install (upgrade) new SQL Server Connector for Microsoft Azure Key Vault.
+    1. Version: 15.0.2000.440
+    1. DLL file date: November 9 2024
+1. Start SQL Server service.
+1. Test encrypted databases are accessible.
+
+If your database is in a `RECOVERY PENDING` state, you need to run an `ALTER` command on the cryptographic provider. Replace *AzureKeyVault_EKM* with the name of your actual cryptographic provider, which you can find in the [sys.cryptographic_providers](../../../relational-databases/system-catalog-views/sys-cryptographic-providers-transact-sql.md) system view.
+
+``` sql
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM DISABLE;  
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll';  
+ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM ENABLE;
+```
+Restart the SQL Server service after modifying the cryptographic provider.
 
 ### Rollback
 
-1. Stop SQL Server service using SQL Server Configuration Manager
-1. Uninstall the new version using **Control Panel\Programs\Programs and Features**
+1. Stop SQL Server service using **SQL Server Configuration Manager**.
+1. Uninstall the new version using **Control Panel** > **Programs** > **Programs and Features**.
     1. Application name: SQL Server Connector for Microsoft Azure Key Vault
     1. Version: 15.0.2000.440
-    1. DLL file date: 09/11/2020 ‏‎5:17 AM
-1. Install old version of SQL Server Connector for Microsoft Azure Key Vault
+    1. DLL file date: November 9 2024
+
+1. Install old version of SQL Server Connector for Microsoft Azure Key Vault.
     1. Version: 15.0.300.96
-    1. DLL file date: 01/30/2018 3:00 PM
-1. Start SQL Server service
-1. Test encrypted DB(s) is/are accessible
+    1. DLL file date: January 30 2018
+1. Start SQL Server service.
+1. Check that the databases using TDE are accessible.
+
+1. After validating that the update works, you can delete the old [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] **Connector** folder (if you chose to rename it instead of uninstalling in Step 3).
 
 > [!NOTE]
 > - SQL Server Connector versions 1.0.0.440 and older have been replaced and are no longer supported in production environments. For more information on troubleshooting SQL Server Connector issues, see [SQL Server Connector Maintenance & Troubleshooting](../../../relational-databases/security/encryption/sql-server-connector-maintenance-troubleshooting.md).
 > - Starting with version 1.0.3.0, the SQL Server Connector reports relevant error messages to the Windows event logs for troubleshooting.
 > - Starting with [1.0.4.0: (version 13.0.811.168)](https://download.microsoft.com/download/8/0/9/809494f2-bac9-4388-ad07-7eaf9745d77b/SQL%20Server%20Connector%20for%20Microsoft%20Azure%20Key%20Vault%201.0.4.0.msi), there is support for private Azure clouds, including Azure operated by 21Vianet, Azure Germany, and Azure Government.
 > - There is a breaking change in version 1.0.5.0 in terms of the thumbprint algorithm. You may experience database restore failures after upgrading to 1.0.5.0. For more information, see [Error 33111 when restoring backups from older versions of SQL Server Connector for Microsoft Azure Key Vault](/troubleshoot/sql/database-engine/backup-restore/error-33111-restore-issues-sql-connector).
-> - **Starting with version [1.0.5.0 (with a file date of September 2020)](https://www.microsoft.com/en-us/download/details.aspx?id=45344), the SQL Server Connector supports filtering messages and network request retry logic.**
+> - Starting with version [1.0.5.0 (with a file date of September 2020)](https://www.microsoft.com/en-us/download/details.aspx?id=45344), the SQL Server Connector supports filtering messages and network request retry logic.
+> - Starting with version [1.0.5.0 (with a file date of November 2024)](https://www.microsoft.com/en-us/download/details.aspx?id=45344) and SQL Server 2022 CU17 and later versions., the SQL Server Connector supports authentication with Azure Key Vault using managed identity for SQL Server on Azure Virtual Machines.
 > - *The old version of the SQL Server Connector is also version: [1.0.5.0 (version 15.0.300.96) – File date January 2018](https://download.microsoft.com/download/8/0/9/809494f2-bac9-4388-ad07-7eaf9745d77b/1033_15.0.2000.367/SQLServerConnectorforMicrosoftAzureKeyVault.msi)*. Upgrade to the newest SQL Server Connector if you experience any issues.
 
 **System Requirements** - Supported SQL Server versions:
 
+- SQL Server 2022 RTM Enterprise or Standard 64-bit
 - SQL Server 2019 RTM Enterprise or Standard 64-bit
 - SQL Server 2017 RTM Enterprise 64-bit
 - SQL Server 2016 RTM Enterprise 64-bit
