Merge pull request #5604 from MicrosoftDocs/master

4/19 AM Publish

Author: v-alje

docs/relational-databases/polybase/polybase-guide.md

@@ -29,7 +29,7 @@ manager: "craigg"
 ms.workload: "Active"
 ---
 # PolyBase Guide
-[!INCLUDE[appliesto-ss-xxxx-asdw-pdw-md](../../includes/appliesto-ss-xxxx-xxxx-xxx-md.md)]
+[!INCLUDE[appliesto-ss-xxxx-asdw-pdw-md](../../includes/appliesto-ss-xxxx-asdw-pdw-md.md)]
   PolyBase is a technology that accesses data outside of the database via the t-sql language.  In SQL Server 2016, it allows you to run queries on external data in Hadoop or to import/export data from Azure Blob Storage. Queries are optimized to push computation to Hadoop. In Azure SQL Data Warehouse, you can import/export data from Azure Blob Storage and Azure Data Lake Store.
 
 

docs/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql.md

@@ -17,7 +17,7 @@ ms.workload: "On Demand"
 ms.tgt_pltfrm: ""
 
 ms.topic: "article"
-ms.date: "04/16/2018"
+ms.date: "04/19/2018"
 ms.author: "aliceku"
 monikerRange: "= azuresqldb-current || = azure-sqldw-latest || = sqlallproducts-allversions"
 --- 
@@ -62,9 +62,9 @@ When TDE is first configured to use a TDE protector from Key Vault, the server s
 
 ### Guidelines for configuring Azure Key Vault
 
-- Use a key vault with [soft-delete](https://docs.microsoft.com/azure/key-vault/key-vault-ovw-soft-delete) enabled to protect from data loss in case of accidental key – or key vault – deletion:  
-  - Soft deleted resources are retained for a set period of time, 90 days unless they are recovered or purged.
-  - The **recover** and **purge** actions have their own permissions associated in a key vault access policy. 
+- Configure key vault with [soft-delete](https://docs.microsoft.com/azure/key-vault/key-vault-ovw-soft-delete) enabled to protect from data loss in case of accidental or malicious key – or key vault – deletion.  This is a **hard requirement** for TDE with BYOK:  
+  - Soft deleted resources are retained for 90 days unless they are recovered or purged.
+  - The **recover** and **purge** actions have their own permissions defined in a key vault access policy. 
 - Grant the logical server access to the key vault using its Azure Active Directory (Azure AD) Identity.  When using the Portal UI, the Azure AD identity gets automatically created and the key vault access permissions are granted to the server.  Using PowerShell to configure TDE with BYOK, the Azure AD identity must be created and completion should be verified. See [Configure TDE with BYOK](transparent-data-encryption-byok-azure-sql-configure.md) for detailed step-by-step instructions when using PowerShell.
 
   >[!NOTE]