Merge pull request #36734 from VanMSFT/vanmsft/uuf-security-batch5-feb27

Resolve 4 UUF items: TDE restore, certificate config, ML Services versions

Author: VanMSFT

docs/database-engine/configure-windows/certificate-requirements.md

@@ -4,7 +4,8 @@ description: This article describes the requirements for SQL Server encryption a
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: randolphwest
-ms.date: 08/26/2025
+ms.date: 02/27/2026
+ai-usage: ai-assisted
 ms.service: sql
 ms.subservice: configuration
 ms.topic: concept-article
@@ -18,7 +19,7 @@ This article describes certificate requirements for [!INCLUDE [ssnoversion-md](.
 
 For using Transport Layer Security (TLS) for [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] encryption, you need to provision a certificate (one of the three digital types) that meets the following conditions:
 
-- The certificate must be in either the local computer certificate store or the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] service account certificate store. We recommend local computer certificate store as it avoids reconfiguring certificates with [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] startup account changes.
+- The certificate must be in either the local computer certificate store or the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] service account certificate store. Use the local computer certificate store to avoid reconfiguring certificates when the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] startup account changes.
 
 - The [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] service account must have the necessary permission to access the TLS certificate. For more information, see [Encrypt connections to SQL Server by importing a certificate](configure-sql-server-encryption.md).
 
@@ -101,6 +102,65 @@ For more information on SQL clusters, see [Before Installing Failover Clustering
 
 In [!INCLUDE [sssql19-md](../../includes/sssql19-md.md)] and later versions, [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] Configuration Manager automatically validates all certificate requirements during the configuration phase itself. If [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] successfully starts after you configure a certificate, it's a good indication that [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] can use that certificate. But some client applications might still have other requirements for certificates that can be used for encryption, and you might experience different errors depending on the application being used. In that scenario, you need to check the client application's support documentation for more information on the subject.
 
+### Verify KeySpec and Key Usage
+
+The `KeySpec` requirement (`AT_KEYEXCHANGE`) is a common cause of certificate configuration failures. Use the following methods to verify that your certificate meets this requirement.
+
+#### Use certutil
+
+Run `certutil` with the `-v` option to display detailed certificate properties, including `KeySpec` and `Key Usage`:
+
+```cmd
+certutil -v -store My "<certificate_thumbprint>"
+```
+
+In the output, look for the following values:
+
+```output
+KeySpec = 1 -- AT_KEYEXCHANGE
+Key Usage = Key Encipherment, Digital Signature (a0)
+Enhanced Key Usage:
+    Server Authentication (1.3.6.1.5.5.7.3.1)
+```
+
+If `KeySpec = 2` (`AT_SIGNATURE`), the certificate can't be used for [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] encryption.
+
+#### Use PowerShell
+
+Run the following PowerShell commands to check `KeySpec` for certificates in the local computer store:
+
+```powershell
+Get-ChildItem Cert:\LocalMachine\My | ForEach-Object {
+    $cert = $_
+    $key = $cert.PrivateKey
+    [PSCustomObject]@{
+        Subject   = $cert.Subject
+        Thumbprint = $cert.Thumbprint
+        KeySpec   = if ($key) { $key.CspKeyContainerInfo.KeyNumber } else { 'No private key' }
+        NotAfter  = $cert.NotAfter
+    }
+} | Format-Table -AutoSize
+```
+
+Verify that `KeySpec` shows `Exchange` (corresponding to `AT_KEYEXCHANGE`). If it shows `Signature`, request a new certificate with the correct `KeySpec` setting.
+
+### Create a certificate using AD CS
+
+If your organization uses Active Directory Certificate Services (AD CS) as an internal certificate authority (CA), create a certificate that meets [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] requirements by following these steps:
+
+1. Open the **Certificates** MMC snap-in for the local computer (`certlm.msc`).
+1. Expand **Personal**, right-click **Certificates**, and select **All Tasks** > **Request New Certificate**.
+1. Select **Active Directory Enrollment Policy** and select **Next**.
+1. Choose a certificate template that supports server authentication. A **Web Server** or custom template configured for server authentication typically meets the requirements. Verify with your CA administrator that the template uses a legacy Cryptographic Service Provider (CSP) with `KeySpec = AT_KEYEXCHANGE`, not a Key Storage Provider (KSP).
+1. On the **Certificate Properties** page:
+   - Set the **Common Name (CN)** to the hostname or FQDN of your [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] instance.
+   - On the **Subject Alternative Name** tab, add DNS entries for all hostnames that clients use to connect (hostname, FQDN, and any aliases).
+1. Complete the enrollment wizard and verify the new certificate appears in **Personal** > **Certificates**.
+1. Verify the `KeySpec` by using certutil or PowerShell as described in [Verify KeySpec and Key Usage](#verify-keyspec-and-key-usage).
+
+> [!IMPORTANT]
+> Certificates created with a Key Storage Provider (KSP), such as the **Microsoft Software Key Storage Provider**, use `KeySpec = 0` and aren't compatible with [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)]. When creating your certificate template in AD CS, select a legacy CSP like **Microsoft RSA SChannel Cryptographic Provider** to ensure `KeySpec = AT_KEYEXCHANGE`.
+
 You can use one of the following methods to check the validity of the certificate for use with [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)]:
 
 - **sqlcheck tool**: `sqlcheck` is a command-line tool that examines the current computer and service account settings and produce a text report to the Console window that is useful for troubleshooting various connection errors. The output has the following information regarding certificates:

docs/machine-learning/install/sql-machine-learning-services-windows-install.md

@@ -3,7 +3,8 @@ title: Install SQL Server Machine Learning Services on Windows
 description: Learn how to install SQL Server Machine Learning Services on Windows to run Python and R scripts in-database.
 author: VanMSFT
 ms.author: vanto
-ms.date: 09/17/2025
+ms.date: 02/27/2026
+ai-usage: ai-assisted
 ms.service: sql
 ms.subservice: machine-learning-services
 ms.topic: how-to
@@ -17,9 +18,26 @@ monikerRange: "=sql-server-2016 || =sql-server-2017 || =sql-server-ver15"
 
 This article shows you how to install [SQL Server Machine Learning Services](../sql-server-machine-learning-services.md) on Windows. You can use Machine Learning Services to run Python and R scripts in-database.
 
-> [!IMPORTANT]  
+> [!IMPORTANT]
 > These instructions apply to [!INCLUDE [sssql16-md](../../includes/sssql16-md.md)], [!INCLUDE [sssql17-md](../../includes/sssql17-md.md)], and [!INCLUDE [sssql19-md](../../includes/sssql19-md.md)]. For [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)], refer to [Install SQL Server 2022 Machine Learning Services on Windows](sql-machine-learning-services-windows-install-sql-2022.md).
 
+## Python and R version reference
+
+The following table shows the Python and R runtime versions included with each SQL Server release. Use this table to determine which language versions are available for your SQL Server instance.
+
+| SQL Server version | Python version | R version |
+|---|---|---|
+| [!INCLUDE [sssql16-md](../../includes/sssql16-md.md)] | N/A (R only) | 3.2.2 |
+| [!INCLUDE [sssql17-md](../../includes/sssql17-md.md)] RTM - CU21 | 3.5.2 | 3.3.3 |
+| [!INCLUDE [sssql17-md](../../includes/sssql17-md.md)] CU22 and later | 3.5.2 and 3.7.2 | 3.3.3 and 3.5.2 |
+| [!INCLUDE [sssql19-md](../../includes/sssql19-md.md)] | 3.7.1 | 3.5.2 |
+| [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)] | 3.10.2 | 4.2.0 |
+
+> [!NOTE]
+> Starting with [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)], runtimes for R, Python, and Java are no longer installed with SQL Server Setup. Instead, install your desired custom runtimes and packages. For more information, see [Install SQL Server 2022 Machine Learning Services on Windows](sql-machine-learning-services-windows-install-sql-2022.md).
+
+For more information about all supported versions, see [What is SQL Server Machine Learning Services?](../sql-server-machine-learning-services.md#python-and-r-versions)
+
 <a id="bkmk_prereqs"></a>
 
 ## Preinstallation checklist
@@ -107,7 +125,7 @@ For local installations, you must run the setup as an administrator. If you inst
 
    - **Python**
 
-     Select this option to add the Microsoft Python packages, the Python 3.5 executable, and select libraries from the Anaconda distribution.
+     Select this option to add the Microsoft Python packages, the Python executable, and select libraries from the Anaconda distribution. For the specific Python version included with your SQL Server release, see [Python and R version reference](#python-and-r-version-reference).
 
    ::: moniker range="=sql-server-ver15"
    For information on installing and using Java, see [Install SQL Server Java Language Extension on Windows](../../language-extensions/install/windows-java.md).
@@ -387,6 +405,8 @@ To install and manage additional packages, you can set up user groups to share p
 
 ## Related content
 
+- [What is SQL Server Machine Learning Services?](../sql-server-machine-learning-services.md)
+- [Install SQL Server 2022 Machine Learning Services on Windows](sql-machine-learning-services-windows-install-sql-2022.md)
 - [Python Tutorial: Deploy a linear regression model with SQL machine learning](../tutorials/python-ski-rental-linear-regression-deploy-model.md)
 - [Python tutorial: Categorizing customers using k-means clustering with SQL machine learning](../tutorials/python-clustering-model.md)
 - [Quickstart: Run simple R scripts with SQL machine learning](../tutorials/quickstart-r-create-script.md)