diff --git a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md
index 63996bb7732..57ab5da7980 100644
--- a/azure-sql/database/transparent-data-encryption-byok-key-rotation.md
+++ b/azure-sql/database/transparent-data-encryption-byok-key-rotation.md
@@ -5,7 +5,7 @@ description: Learn how to rotate the Transparent data encryption (TDE) protector
 author: GithubMirek
 ms.author: mireks
 ms.reviewer: wiassaf, vanto, mathoma
-ms.date: 01/16/2024
+ms.date: 07/03/2024
 ms.service: azure-sql
 ms.subservice: security
 ms.topic: how-to
@@ -188,6 +188,9 @@ Using the [Azure portal](https://portal.azure.com):
 
 When the key is rotated on the primary server, it's automatically transferred to the secondary server.
 
+> [!NOTE]
+> If the same key vault key on the primary server is used as the default TDE protector on the secondary server, ensure **Auto-rotate key** is enabled for **both** servers. Failure to do so may lead to the auto-rotation workflows entering an error state and prevent further manual key rotation operations.  
+
 # [PowerShell](#tab/azure-powershell-geo)
 
 The `<keyVaultKeyId>` can be [retrieved from Key Vault](/azure/key-vault/keys/quick-create-portal#retrieve-a-key-from-key-vault).