diff --git a/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json b/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json
index fa4274854d..bad76a8a40 100644
--- a/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json
+++ b/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json
@@ -5,6 +5,9 @@
         "name": {
             "value": "<<namePrefix>>-az-bv-x-001"
         },
+        "lock": {
+            "value": "CanNotDelete"
+        },
         "backupPolicies": {
             "value": [
                 {
diff --git a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep b/arm/Microsoft.DataProtection/backupVaults/deploy.bicep
index 91e85dfd0b..7018414b15 100644
--- a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep
+++ b/arm/Microsoft.DataProtection/backupVaults/deploy.bicep
@@ -11,12 +11,12 @@ param location string = resourceGroup().location
 param roleAssignments array = []
 
 @allowed([
+  ''
   'CanNotDelete'
-  'NotSpecified'
   'ReadOnly'
 ])
 @description('Optional. Specify the type of lock.')
-param lock string = 'NotSpecified'
+param lock string = ''
 
 @description('Optional. Enables system assigned managed identity on the resource.')
 param systemAssignedIdentity bool = false
@@ -52,7 +52,7 @@ var identity = identityType != 'None' ? {
   userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
 } : null
 
-var enableChildTelemetry = false
+var enableReferencedModulesTelemetry = false
 
 resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
   name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
@@ -87,14 +87,14 @@ module backupVault_backupPolicies 'backupPolicies/deploy.bicep' = [for (backupPo
     backupVaultName: backupVault.name
     name: backupPolicy.name
     properties: backupPolicy.properties
-    enableDefaultTelemetry: enableChildTelemetry
+    enableDefaultTelemetry: enableReferencedModulesTelemetry
   }
 }]
 
-resource backupVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (lock != 'NotSpecified') {
+resource backupVault_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
   name: '${backupVault.name}-${lock}-lock'
   properties: {
-    level: lock
+    level: any(lock)
     notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
   }
   scope: backupVault
diff --git a/arm/Microsoft.DataProtection/backupVaults/readme.md b/arm/Microsoft.DataProtection/backupVaults/readme.md
index cbde48bd06..b83dc6ea84 100644
--- a/arm/Microsoft.DataProtection/backupVaults/readme.md
+++ b/arm/Microsoft.DataProtection/backupVaults/readme.md
@@ -13,7 +13,7 @@ This module deploys DataProtection BackupVaults.
 
 | Resource Type | API Version |
 | :-- | :-- |
-| `Microsoft.Authorization/locks` | [2020-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
+| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) |
 | `Microsoft.DataProtection/backupVaults` | [2022-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/2022-03-01/backupVaults) |
 | `Microsoft.DataProtection/backupVaults/backupPolicies` | [2022-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/2022-03-01/backupVaults/backupPolicies) |
@@ -32,7 +32,7 @@ This module deploys DataProtection BackupVaults.
 | `dataStoreType` | string | `'SnapshotStore'` | `[ArchiveStore, SnapshotStore, VaultStore]` | The datastore type to use. |
 | `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via the Customer Usage Attribution ID (GUID). |
 | `location` | string | `[resourceGroup().location]` |  | Location for all resources. |
-| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. |
+| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `systemAssignedIdentity` | bool | `False` |  | Enables system assigned managed identity on the resource. |
 | `tags` | object | `{object}` |  | Tags of the Recovery Service Vault resource. |
@@ -382,6 +382,9 @@ module backupVaults './Microsoft.DataProtection/backupVaults/deploy.bicep' = {
         "name": {
             "value": "<<namePrefix>>-az-bv-x-001"
         },
+        "lock": {
+            "value": "CanNotDelete"
+        },
         "backupPolicies": {
             "value": [
                 {
@@ -462,6 +465,7 @@ module backupVaults './Microsoft.DataProtection/backupVaults/deploy.bicep' = {
   name: '${uniqueString(deployment().name)}-backupVaults'
   params: {
     name: '<<namePrefix>>-az-bv-x-001'
+    lock: 'CanNotDelete'
     backupPolicies: [
       {
         name: 'DefaultPolicy'