Sql and updating one column
The last three variables did not meet the pre-requisite conditions for parameterization, and therefore, SQL Server Management Studio did not attempt to parameterize them (their declarations are not marked in any way).
SSMS does not support role separation between those who manage the database (DBAs) and those who manage cryptographic secrets and have access to plaintext data (Security Administrators and/or Application Administrators).
If your organization enforces role separation, you should use Power Shell to configure Always Encrypted.
The wizard will auto-generate names for keys and their metadata objects in the database.
If you need more control for how your keys are provisioned (and more choices for a key store containing a column master key), you can use the New Column Master Key and New Column Encryption Key dialogs (described below) to provision keys before you start the wizard.
If you have not provisioned any keys for Always Encrypted, the wizard will auto-generate them for you.
You just need to pick a key store for your column master key: Windows Certificate Store or Azure Key Vault.
Depending on the current Always Encrypted configuration and the desired target configuration, the wizard can encrypt a column, decrypt it (remove encryption), or re-encrypt it (for example, using a new column encryption key or an encryption type that is different from the current type, configured for the column).
Multiple columns can be configured in a single run of the wizard.
If the query contains literals or Transact-SQL variables that target encrypted columns, the .
NET Framework Data Provider for SQL Server will not be able to detect and encrypt them, before sending the query to the database.
As the primary goal of Always Encrypted is to ensure encrypted sensitive data is safe even if the database system gets compromised, executing a Power Shell script that processes keys or sensitive data on the SQL Server computer can reduce or defeat the benefits of the feature.