Merge pull request #309422 from akarshprabhu/main

 IaaS | noexec on /var unsupported public doc

Author: prmerger-automator[bot]

articles/backup/backup-support-matrix-iaas.md

@@ -76,7 +76,7 @@ Here's what's supported if you want to back up Linux machines.
 
 **Action** | **Support**
 --- | ---
-Back up Linux Azure VMs with the Linux Azure VM agent | Supported for file-consistent backup.<br/><br/> Also supported for app-consistent backup that uses [custom scripts](backup-azure-linux-app-consistent.md).<br/><br/> During restore, you can create a new VM, restore a disk and use it to create a VM, or restore a disk and use it to replace a disk on an existing VM. You can also restore individual files and folders.
+Back up Linux Azure VMs with the Linux Azure VM agent | Supported for file-consistent backup.<br/><br/> Also supported for app-consistent backup that uses [custom scripts](backup-azure-linux-app-consistent.md).<br/><br/> During restore, you can create a new VM, restore a disk and use it to create a VM, or restore a disk and use it to replace a disk on an existing VM. You can also restore individual files and folders.<br/><br/> *Note: Azure Backup requires the /var and /var/lib directories on Linux machines not to be mounted with the noexec flag. Certain backup operations rely on executing helper scripts from /var/lib, and enforcing noexec prevents these components from running.*
 [Back up Azure VM directly by using agentless crash-consistent backup](backup-azure-vms-agentless-multi-disk-crash-consistent-overview.md) | Agentless crash-consistent backups are operating system agnostic.
 Back up Linux Azure VMs with the MARS agent | Not supported.<br/><br/> The MARS agent can be installed only on Windows machines.
 Back up Linux Azure VMs with DPM or MABS | Not supported.

articles/backup/restore-azure-encrypted-virtual-machines.md

@@ -49,13 +49,16 @@ When your virtual machine uses unmanaged disks, they're restored as blobs to the
    > [!NOTE]
    > After you restore the VM disk, you can manually swap the OS disk of the original VM with the restored VM disk without re-creating it. [Learn more](/azure/virtual-machines/windows/os-disk-swap).
 
+> [!TIP]
+> **Single‑pass ADE restore behavior** -  VMs that use ADE single‑pass encryption store encryption settings on the disk object. Tier‑1 (snapshot‑tier) restores may fail if snapshot‑time metadata does not match the Key Vault’s current BEK/KEK state or if encryption settings have rotated after the snapshot was taken. If a Tier‑1 restore fails, retry using a vault‑tier recovery point, which reconstructs disks using full encryption metadata.
+
 ### Step 2: Recreate the virtual machine instance 
 
 Do one of the following actions:
 
 - Use the template that's generated during the restore operation to customize VM settings and trigger VM deployment. [Learn more](backup-azure-arm-restore-vms.md#use-templates-to-customize-a-restored-vm).
   >[!NOTE]
-   >While deploying the template, verify the storage account containers and the public/private settings.
+   > While deploying the template, verify the storage account containers and the public/private settings.
 - Create a new VM from the restored disks using PowerShell. [Learn more](backup-azure-vms-automation.md#create-a-vm-from-restored-disks).
 
 ### Step 3: Restore an encrypted Linux VM
@@ -74,6 +77,9 @@ Reinstall the ADE extension so the data disks are open and mounted.
 
 Azure Backup supports Cross Region Restore of encrypted Azure VMs to the [Azure paired regions](../reliability/cross-region-replication-azure.md). Learn how to [enable Cross Region Restore](backup-create-rs-vault.md#set-cross-region-restore) for an encrypted VM.
 
+> [!NOTE]
+> Cross region restore for Encrypted VMs is not supported if the paired region is not in the same geography. For example: Brazil South and South Central US.
+
 ## Move an encrypted Azure VM
 
 Moving an encrypted VM across vault or resource group is same as moving a backed-up Azure Virtual machine. See,