diff --git a/.github/workflows/ms.compute.virtualmachinescalesets.yml b/.github/workflows/ms.compute.virtualmachinescalesets.yml
index ae86f20689..4353ac804b 100644
--- a/.github/workflows/ms.compute.virtualmachinescalesets.yml
+++ b/.github/workflows/ms.compute.virtualmachinescalesets.yml
@@ -106,8 +106,7 @@ jobs:
       - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]'
         uses: ./.github/actions/templates/validateModuleDeployment
         with:
-          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
-          parameterFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}'
+          templateFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}'
           location: '${{ env.location }}'
           resourceGroupName: '${{ env.resourceGroupName }}'
           subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/.scripts/New-SSHKey.ps1 b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/.scripts/New-SSHKey.ps1
new file mode 100644
index 0000000000..d12de1c45b
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/.scripts/New-SSHKey.ps1
@@ -0,0 +1,19 @@
+param(
+    [string] $SSHKeyName,
+    [string] $ResourceGroupName
+)
+
+if (-not ($sshKey = Get-AzSshKey -ResourceGroupName $ResourceGroupName | Where-Object { $_.Name -eq $SSHKeyName })) {
+    Write-Verbose "No SSH key [$SSHKeyName] found in Resource Group [$ResourceGroupName]. Generating new." -Verbose
+    $null = ssh-keygen -f generated -N (Get-Random -Maximum 99999)
+    $publicKey = Get-Content 'generated.pub' -Raw
+    # $privateKey = cat generated | Out-String
+} else {
+    Write-Verbose "SSH key [$SSHKeyName] found in Resource Group [$ResourceGroupName]. Returning." -Verbose
+    $publicKey = $sshKey.publicKey
+}
+# Write into Deployment Script output stream
+$DeploymentScriptOutputs = @{
+    # Requires conversion as the script otherwise returns an object instead of the plain public key string
+    publicKey = $publicKey | Out-String
+}
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/.scripts/Set-BlobContent.ps1 b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/.scripts/Set-BlobContent.ps1
new file mode 100644
index 0000000000..06617105f7
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/.scripts/Set-BlobContent.ps1
@@ -0,0 +1,15 @@
+param(
+    [string] $StorageAccountName,
+    [string] $ResourceGroupName,
+    [string] $ContainerName,
+    [string] $FileName
+)
+
+Write-Verbose "Create file [$FileName]" -Verbose
+$file = New-Item -Value "Write-Host 'I am content'" -Path $FileName -Force
+
+Write-Verbose "Getting storage account [$StorageAccountName|$ResourceGroupName] context." -Verbose
+$storageAccount = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -ErrorAction 'Stop'
+
+Write-Verbose 'Uploading file [$fileName]' -Verbose
+Set-AzStorageBlobContent -File $file.FullName -Container $ContainerName -Context $storageAccount.Context -Force -ErrorAction 'Stop' | Out-Null
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.min.parameters.json b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.min.parameters.json
deleted file mode 100644
index a160f36fb7..0000000000
--- a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.min.parameters.json
+++ /dev/null
@@ -1,63 +0,0 @@
-{
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "name": {
-            "value": "<<namePrefix>>-scaleset-linux-min-001"
-        },
-        "osDisk": {
-            "value": {
-                "createOption": "fromImage",
-                "diskSizeGB": "128",
-                "managedDisk": {
-                    "storageAccountType": "Premium_LRS"
-                }
-            }
-        },
-        "osType": {
-            "value": "Linux"
-        },
-        "skuName": {
-            "value": "Standard_B12ms"
-        },
-        "imageReference": {
-            "value": {
-                "publisher": "Canonical",
-                "offer": "UbuntuServer",
-                "sku": "18.04-LTS",
-                "version": "latest"
-            }
-        },
-        "adminUsername": {
-            "value": "scaleSetAdmin"
-        },
-        "disablePasswordAuthentication": {
-            "value": true
-        },
-        "publicKeys": {
-            "value": [
-                {
-                    "path": "/home/scaleSetAdmin/.ssh/authorized_keys",
-                    "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure"
-                }
-            ]
-        },
-        "nicConfigurations": {
-            "value": [
-                {
-                    "nicSuffix": "-nic01",
-                    "ipConfigurations": [
-                        {
-                            "name": "ipconfig1",
-                            "properties": {
-                                "subnet": {
-                                    "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002"
-                                }
-                            }
-                        }
-                    ]
-                }
-            ]
-        }
-    }
-}
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.min/dependencies.bicep b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.min/dependencies.bicep
new file mode 100644
index 0000000000..42242725f6
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.min/dependencies.bicep
@@ -0,0 +1,84 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+@description('Required. The name of the Managed Identity to create.')
+param managedIdentityName string
+
+@description('Required. The name of the Deployment Script to create for the SSH Key generation.')
+param sshDeploymentScriptName string
+
+@description('Required. The name of the SSH Key to create.')
+param sshKeyName string
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+    name: virtualNetworkName
+    location: location
+    properties: {
+        addressSpace: {
+            addressPrefixes: [
+                '10.0.0.0/24'
+            ]
+        }
+        subnets: [
+            {
+                name: 'defaultSubnet'
+                properties: {
+                    addressPrefix: '10.0.0.0/24'
+                }
+            }
+        ]
+    }
+}
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+    name: managedIdentityName
+    location: location
+}
+
+resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid(resourceGroup().id, 'Contributor', managedIdentity.id)
+    scope: resourceGroup()
+    properties: {
+        principalId: managedIdentity.properties.principalId
+        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor
+        principalType: 'ServicePrincipal'
+    }
+}
+
+resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+    name: sshDeploymentScriptName
+    location: location
+    kind: 'AzurePowerShell'
+    identity: {
+        type: 'UserAssigned'
+        userAssignedIdentities: {
+            '${managedIdentity.id}': {}
+        }
+    }
+    properties: {
+        azPowerShellVersion: '9.0'
+        retentionInterval: 'P1D'
+        arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"'
+        scriptContent: loadTextContent('../.scripts/New-SSHKey.ps1')
+    }
+    dependsOn: [
+        msiRGContrRoleAssignment
+    ]
+}
+
+resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = {
+    name: sshKeyName
+    location: location
+    properties: {
+        publicKey: sshDeploymentScript.properties.outputs.publicKey
+    }
+}
+
+@description('The resource ID of the created Virtual Network Subnet.')
+output subnetResourceId string = virtualNetwork.properties.subnets[0].id
+
+@description('The Public Key of the created SSH Key.')
+output SSHKeyPublicKey string = sshKey.properties.publicKey
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.min/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.min/deploy.test.bicep
new file mode 100644
index 0000000000..e4ad415b97
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.min/deploy.test.bicep
@@ -0,0 +1,86 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'cvmsslinmin'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module resourceGroupResources 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-paramNested'
+  params: {
+    virtualNetworkName: 'dep-<<namePrefix>>-vnet-${serviceShort}'
+    managedIdentityName: 'dep-<<namePrefix>>-msi-${serviceShort}'
+    sshDeploymentScriptName: 'dep-<<namePrefix>>-ds-${serviceShort}'
+    sshKeyName: 'dep-<<namePrefix>>-ssh-${serviceShort}'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    adminUsername: 'scaleSetAdmin'
+    imageReference: {
+      offer: 'UbuntuServer'
+      publisher: 'Canonical'
+      sku: '18.04-LTS'
+      version: 'latest'
+    }
+    osDisk: {
+      createOption: 'fromImage'
+      diskSizeGB: '128'
+      managedDisk: {
+        storageAccountType: 'Premium_LRS'
+      }
+    }
+    osType: 'Linux'
+    skuName: 'Standard_B12ms'
+    disablePasswordAuthentication: true
+    nicConfigurations: [
+      {
+        ipConfigurations: [
+          {
+            name: 'ipconfig1'
+            properties: {
+              subnet: {
+                id: resourceGroupResources.outputs.subnetResourceId
+              }
+            }
+          }
+        ]
+        nicSuffix: '-nic01'
+      }
+    ]
+    publicKeys: [
+      {
+        keyData: resourceGroupResources.outputs.SSHKeyPublicKey
+        path: '/home/scaleSetAdmin/.ssh/authorized_keys'
+      }
+    ]
+  }
+}
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.parameters.json b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.parameters.json
deleted file mode 100644
index ca6b1b3704..0000000000
--- a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux.parameters.json
+++ /dev/null
@@ -1,189 +0,0 @@
-{
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "name": {
-            "value": "<<namePrefix>>-scaleset-linux-001"
-        },
-        "lock": {
-            "value": "CanNotDelete"
-        },
-        "vmNamePrefix": {
-            "value": "vmsslinvm"
-        },
-        "skuName": {
-            "value": "Standard_B12ms"
-        },
-        "skuCapacity": {
-            "value": 1
-        },
-        "upgradePolicyMode": {
-            "value": "Manual"
-        },
-        "vmPriority": {
-            "value": "Regular"
-        },
-        "osDisk": {
-            "value": {
-                "createOption": "fromImage",
-                "diskSizeGB": "128",
-                "managedDisk": {
-                    "storageAccountType": "Premium_LRS"
-                }
-            }
-        },
-        "availabilityZones": {
-            "value": [
-                "2"
-            ]
-        },
-        "scaleSetFaultDomain": {
-            "value": 1
-        },
-        "systemAssignedIdentity": {
-            "value": true
-        },
-        "userAssignedIdentities": {
-            "value": {
-                "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
-            }
-        },
-        "bootDiagnosticStorageAccountName": {
-            "value": "adp<<namePrefix>>azsax001"
-        },
-        "osType": {
-            "value": "Linux"
-        },
-        "encryptionAtHost": {
-            "value": false
-        },
-        "imageReference": {
-            "value": {
-                "publisher": "Canonical",
-                "offer": "UbuntuServer",
-                "sku": "18.04-LTS",
-                "version": "latest"
-            }
-        },
-        "adminUsername": {
-            "value": "scaleSetAdmin"
-        },
-        "disablePasswordAuthentication": {
-            "value": true
-        },
-        "publicKeys": {
-            "value": [
-                {
-                    "path": "/home/scaleSetAdmin/.ssh/authorized_keys",
-                    "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure"
-                }
-            ]
-        },
-        "dataDisks": {
-            "value": [
-                {
-                    "caching": "ReadOnly",
-                    "createOption": "Empty",
-                    "diskSizeGB": "256",
-                    "managedDisk": {
-                        "storageAccountType": "Premium_LRS"
-                    }
-                },
-                {
-                    "caching": "ReadOnly",
-                    "createOption": "Empty",
-                    "diskSizeGB": "128",
-                    "managedDisk": {
-                        "storageAccountType": "Premium_LRS"
-                    }
-                }
-            ]
-        },
-        "nicConfigurations": {
-            "value": [
-                {
-                    "nicSuffix": "-nic01",
-                    "ipConfigurations": [
-                        {
-                            "name": "ipconfig1",
-                            "properties": {
-                                "subnet": {
-                                    "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002"
-                                }
-                            }
-                        }
-                    ]
-                }
-            ]
-        },
-        "roleAssignments": {
-            "value": [
-                {
-                    "roleDefinitionIdOrName": "Reader",
-                    "principalIds": [
-                        "<<deploymentSpId>>"
-                    ]
-                }
-            ]
-        },
-        "diagnosticLogsRetentionInDays": {
-            "value": 7
-        },
-        "diagnosticStorageAccountId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
-        },
-        "diagnosticWorkspaceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
-        },
-        "diagnosticEventHubAuthorizationRuleId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
-        },
-        "diagnosticEventHubName": {
-            "value": "adp-<<namePrefix>>-az-evh-x-001"
-        },
-        "extensionMonitoringAgentConfig": {
-            "value": {
-                "enabled": true
-            }
-        },
-        "extensionDependencyAgentConfig": {
-            "value": {
-                "enabled": true
-            }
-        },
-        "extensionNetworkWatcherAgentConfig": {
-            "value": {
-                "enabled": true
-            }
-        },
-        "extensionDiskEncryptionConfig": {
-            "value": {
-                "enabled": true,
-                "settings": {
-                    "EncryptionOperation": "EnableEncryption",
-                    "KeyVaultURL": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/",
-                    "KeyVaultResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
-                    "KeyEncryptionKeyURL": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5", // ID must be updated for new keys
-                    "KekVaultResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
-                    "KeyEncryptionAlgorithm": "RSA-OAEP",
-                    "VolumeType": "All",
-                    "ResizeOSDisk": "false"
-                }
-            }
-        },
-        "extensionCustomScriptConfig": {
-            "value": {
-                "enabled": true,
-                "fileData": [
-                    {
-                        "uri": "https://adp<<namePrefix>>azsax001.blob.core.windows.net/scripts/scriptExtensionMasterInstaller.ps1",
-                        "storageAccountId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
-                    }
-                ],
-                "protectedSettings": {
-                    "commandToExecute": "sudo apt-get update"
-                }
-            }
-        }
-    }
-}
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux/dependencies.bicep b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux/dependencies.bicep
new file mode 100644
index 0000000000..dc4e1fa522
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux/dependencies.bicep
@@ -0,0 +1,193 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+@description('Required. The name of the Key Vault to create.')
+param keyVaultName string
+
+@description('Required. The name of the Storage Account to create.')
+param storageAccountName string
+
+@description('Required. The name of the Deployment Script used to upload data to the Storage Account.')
+param storageUploadDeploymentScriptName string
+
+@description('Required. The name of the Managed Identity to create.')
+param managedIdentityName string
+
+@description('Required. The name of the Deployment Script to create for the SSH Key generation.')
+param sshDeploymentScriptName string
+
+@description('Required. The name of the SSH Key to create.')
+param sshKeyName string
+
+var storageContainerName = 'scripts'
+var storageAccountCSEFileName = 'scriptExtensionMasterInstaller.ps1'
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+    name: virtualNetworkName
+    location: location
+    properties: {
+        addressSpace: {
+            addressPrefixes: [
+                '10.0.0.0/24'
+            ]
+        }
+        subnets: [
+            {
+                name: 'defaultSubnet'
+                properties: {
+                    addressPrefix: '10.0.0.0/24'
+                }
+            }
+        ]
+    }
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
+    name: keyVaultName
+    location: location
+    properties: {
+        sku: {
+            family: 'A'
+            name: 'standard'
+        }
+        tenantId: tenant().tenantId
+        enablePurgeProtection: null
+        enabledForTemplateDeployment: true
+        enabledForDiskEncryption: true
+        enabledForDeployment: true
+        enableRbacAuthorization: true
+        accessPolicies: []
+    }
+
+    resource key 'keys@2022-07-01' = {
+        name: 'encryptionKey'
+        properties: {
+            kty: 'RSA'
+        }
+    }
+}
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+    name: managedIdentityName
+    location: location
+}
+
+resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid(resourceGroup().id, 'Contributor', managedIdentity.id)
+    scope: resourceGroup()
+    properties: {
+        principalId: managedIdentity.properties.principalId
+        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor
+        principalType: 'ServicePrincipal'
+    }
+}
+
+resource msiKVCryptoUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid(keyVault::key.id, 'Key Vault Crypto User', managedIdentity.id)
+    scope: keyVault::key
+    properties: {
+        principalId: managedIdentity.properties.principalId
+        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User
+        principalType: 'ServicePrincipal'
+    }
+}
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
+    name: storageAccountName
+    location: location
+    sku: {
+        name: 'Standard_LRS'
+    }
+    kind: 'StorageV2'
+
+    resource blobService 'blobServices@2021-09-01' = {
+        name: 'default'
+
+        resource container 'containers@2021-09-01' = {
+            name: storageContainerName
+        }
+    }
+}
+
+resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+    name: storageUploadDeploymentScriptName
+    location: location
+    kind: 'AzurePowerShell'
+    identity: {
+        type: 'UserAssigned'
+        userAssignedIdentities: {
+            '${managedIdentity.id}': {}
+        }
+    }
+    properties: {
+        azPowerShellVersion: '9.0'
+        retentionInterval: 'P1D'
+        arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"'
+        scriptContent: loadTextContent('../.scripts/Set-BlobContent.ps1')
+    }
+    dependsOn: [
+        msiRGContrRoleAssignment
+    ]
+}
+
+resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+    name: sshDeploymentScriptName
+    location: location
+    kind: 'AzurePowerShell'
+    identity: {
+        type: 'UserAssigned'
+        userAssignedIdentities: {
+            '${managedIdentity.id}': {}
+        }
+    }
+    properties: {
+        azPowerShellVersion: '9.0'
+        retentionInterval: 'P1D'
+        arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"'
+        scriptContent: loadTextContent('../.scripts/New-SSHKey.ps1')
+    }
+    dependsOn: [
+        msiRGContrRoleAssignment
+    ]
+}
+
+resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = {
+    name: sshKeyName
+    location: location
+    properties: {
+        publicKey: sshDeploymentScript.properties.outputs.publicKey
+    }
+}
+
+@description('The resource ID of the created Virtual Network Subnet.')
+output subnetResourceId string = virtualNetwork.properties.subnets[0].id
+
+@description('The principal ID of the created Managed Identity.')
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
+
+@description('The resource ID of the created Managed Identity.')
+output managedIdentityResourceId string = managedIdentity.id
+
+@description('The resource ID of the created Key Vault.')
+output keyVaultResourceId string = keyVault.id
+
+@description('The URL of the created Key Vault.')
+output keyVaultUrl string = keyVault.properties.vaultUri
+
+@description('The URL of the created Key Vault Encryption Key.')
+output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion
+
+@description('The name of the created Storage Account.')
+output storageAccountName string = storageAccount.name
+
+@description('The resource ID of the created Storage Account.')
+output storageAccountResourceId string = storageAccount.id
+
+@description('The URL of the Custom Script Extension in the created Storage Account')
+output storageAccountCSEFileUrl string = '${storageAccount.properties.primaryEndpoints.blob}${storageContainerName}/${storageAccountCSEFileName}'
+
+@description('The Public Key of the created SSH Key')
+output SSHKeyPublicKey string = sshKey.properties.publicKey
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux/deploy.test.bicep
new file mode 100644
index 0000000000..8ed97f6e59
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/linux/deploy.test.bicep
@@ -0,0 +1,183 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'cvmsslin'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module resourceGroupResources 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-paramNested'
+  params: {
+    virtualNetworkName: 'dep-<<namePrefix>>-vnet-${serviceShort}'
+    managedIdentityName: 'dep-<<namePrefix>>-msi-${serviceShort}'
+    keyVaultName: 'dep-<<namePrefix>>-kv-${serviceShort}'
+    storageAccountName: 'dep<<namePrefix>>sa${serviceShort}01'
+    storageUploadDeploymentScriptName: 'dep-<<namePrefix>>-sads-${serviceShort}'
+    sshDeploymentScriptName: 'dep-<<namePrefix>>-ds-${serviceShort}'
+    sshKeyName: 'dep-<<namePrefix>>-ssh-${serviceShort}'
+  }
+}
+
+// Diagnostics
+// ===========
+module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnostic.dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-diagnosticDependencies'
+  params: {
+    storageAccountName: 'dep<<namePrefix>>diasa${serviceShort}01'
+    logAnalyticsWorkspaceName: 'dep-<<namePrefix>>-law-${serviceShort}'
+    eventHubNamespaceEventHubName: 'dep-<<namePrefix>>-evh-${serviceShort}'
+    eventHubNamespaceName: 'dep-<<namePrefix>>-evhns-${serviceShort}'
+    location: location
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    adminUsername: 'scaleSetAdmin'
+    imageReference: {
+      offer: 'UbuntuServer'
+      publisher: 'Canonical'
+      sku: '18.04-LTS'
+      version: 'latest'
+    }
+    osDisk: {
+      createOption: 'fromImage'
+      diskSizeGB: '128'
+      managedDisk: {
+        storageAccountType: 'Premium_LRS'
+      }
+    }
+    osType: 'Linux'
+    skuName: 'Standard_B12ms'
+    availabilityZones: [
+      '2'
+    ]
+    bootDiagnosticStorageAccountName: resourceGroupResources.outputs.storageAccountName
+    dataDisks: [
+      {
+        caching: 'ReadOnly'
+        createOption: 'Empty'
+        diskSizeGB: '256'
+        managedDisk: {
+          storageAccountType: 'Premium_LRS'
+        }
+      }
+      {
+        caching: 'ReadOnly'
+        createOption: 'Empty'
+        diskSizeGB: '128'
+        managedDisk: {
+          storageAccountType: 'Premium_LRS'
+        }
+      }
+    ]
+    diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
+    diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
+    diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
+    diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
+    diagnosticLogsRetentionInDays: 7
+    disablePasswordAuthentication: true
+    encryptionAtHost: false
+    extensionCustomScriptConfig: {
+      enabled: true
+      fileData: [
+        {
+          storageAccountId: resourceGroupResources.outputs.storageAccountResourceId
+          uri: resourceGroupResources.outputs.storageAccountCSEFileUrl
+        }
+      ]
+      protectedSettings: {
+        commandToExecute: 'sudo apt-get update'
+      }
+    }
+    extensionDependencyAgentConfig: {
+      enabled: true
+    }
+    extensionDiskEncryptionConfig: {
+      enabled: true
+      settings: {
+        EncryptionOperation: 'EnableEncryption'
+        KekVaultResourceId: resourceGroupResources.outputs.keyVaultResourceId
+        KeyEncryptionAlgorithm: 'RSA-OAEP'
+        KeyEncryptionKeyURL: resourceGroupResources.outputs.keyVaultEncryptionKeyUrl
+        KeyVaultResourceId: resourceGroupResources.outputs.keyVaultResourceId
+        KeyVaultURL: resourceGroupResources.outputs.keyVaultUrl
+        ResizeOSDisk: 'false'
+        VolumeType: 'All'
+      }
+    }
+    extensionMonitoringAgentConfig: {
+      enabled: true
+    }
+    extensionNetworkWatcherAgentConfig: {
+      enabled: true
+    }
+    lock: 'CanNotDelete'
+    nicConfigurations: [
+      {
+        ipConfigurations: [
+          {
+            name: 'ipconfig1'
+            properties: {
+              subnet: {
+                id: resourceGroupResources.outputs.subnetResourceId
+              }
+            }
+          }
+        ]
+        nicSuffix: '-nic01'
+      }
+    ]
+    publicKeys: [
+      {
+        keyData: resourceGroupResources.outputs.SSHKeyPublicKey
+        path: '/home/scaleSetAdmin/.ssh/authorized_keys'
+      }
+    ]
+    roleAssignments: [
+      {
+        principalIds: [
+          resourceGroupResources.outputs.managedIdentityPrincipalId
+        ]
+        roleDefinitionIdOrName: 'Reader'
+      }
+    ]
+    scaleSetFaultDomain: 1
+    skuCapacity: 1
+    systemAssignedIdentity: true
+    upgradePolicyMode: 'Manual'
+    userAssignedIdentities: {
+      '${resourceGroupResources.outputs.managedIdentityResourceId}': {}
+    }
+    vmNamePrefix: 'vmsslinvm'
+    vmPriority: 'Regular'
+  }
+}
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.min.parameters.json b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.min.parameters.json
deleted file mode 100644
index cb84878c09..0000000000
--- a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.min.parameters.json
+++ /dev/null
@@ -1,65 +0,0 @@
-{
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "name": {
-            "value": "<<namePrefix>>-scaleset-win-min-001"
-        },
-        "skuName": {
-            "value": "Standard_B12ms"
-        },
-        "osDisk": {
-            "value": {
-                "createOption": "fromImage",
-                "diskSizeGB": "128",
-                "managedDisk": {
-                    "storageAccountType": "Premium_LRS"
-                }
-            }
-        },
-        "osType": {
-            "value": "Windows"
-        },
-        "imageReference": {
-            "value": {
-                "publisher": "MicrosoftWindowsServer",
-                "offer": "WindowsServer",
-                "sku": "2016-Datacenter",
-                "version": "latest"
-            }
-        },
-        "adminUsername": {
-            "reference": {
-                "keyVault": {
-                    "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
-                },
-                "secretName": "adminUsername"
-            }
-        },
-        "adminPassword": {
-            "reference": {
-                "keyVault": {
-                    "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
-                },
-                "secretName": "adminPassword"
-            }
-        },
-        "nicConfigurations": {
-            "value": [
-                {
-                    "nicSuffix": "-nic01",
-                    "ipConfigurations": [
-                        {
-                            "name": "ipconfig1",
-                            "properties": {
-                                "subnet": {
-                                    "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002"
-                                }
-                            }
-                        }
-                    ]
-                }
-            ]
-        }
-    }
-}
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.min/dependencies.bicep b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.min/dependencies.bicep
new file mode 100644
index 0000000000..12d074b6a7
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.min/dependencies.bicep
@@ -0,0 +1,28 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+    name: virtualNetworkName
+    location: location
+    properties: {
+        addressSpace: {
+            addressPrefixes: [
+                '10.0.0.0/24'
+            ]
+        }
+        subnets: [
+            {
+                name: 'defaultSubnet'
+                properties: {
+                    addressPrefix: '10.0.0.0/24'
+                }
+            }
+        ]
+    }
+}
+
+@description('The resource ID of the created Virtual Network Subnet.')
+output subnetResourceId string = virtualNetwork.properties.subnets[0].id
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.min/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.min/deploy.test.bicep
new file mode 100644
index 0000000000..46f911e739
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.min/deploy.test.bicep
@@ -0,0 +1,81 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'cvmsswinmin'
+
+@description('Optional. The password to leverage for the login.')
+@secure()
+param password string = newGuid()
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module resourceGroupResources 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-paramNested'
+  params: {
+    virtualNetworkName: 'dep-<<namePrefix>>-vnet-${serviceShort}'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    adminUsername: 'localAdminUser'
+    adminPassword: password
+    imageReference: {
+      offer: 'WindowsServer'
+      publisher: 'MicrosoftWindowsServer'
+      sku: '2016-Datacenter'
+      version: 'latest'
+    }
+    osDisk: {
+      createOption: 'fromImage'
+      diskSizeGB: '128'
+      managedDisk: {
+        storageAccountType: 'Premium_LRS'
+      }
+    }
+    osType: 'Windows'
+    skuName: 'Standard_B12ms'
+    nicConfigurations: [
+      {
+        ipConfigurations: [
+          {
+            name: 'ipconfig1'
+            properties: {
+              subnet: {
+                id: resourceGroupResources.outputs.subnetResourceId
+              }
+            }
+          }
+        ]
+        nicSuffix: '-nic01'
+      }
+    ]
+  }
+}
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.parameters.json b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.parameters.json
deleted file mode 100644
index 28cb36aa8c..0000000000
--- a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows.parameters.json
+++ /dev/null
@@ -1,188 +0,0 @@
-{
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "name": {
-            "value": "<<namePrefix>>-scaleset-win-001"
-        },
-        "lock": {
-            "value": "CanNotDelete"
-        },
-        "vmNamePrefix": {
-            "value": "vmsswinvm"
-        },
-        "skuName": {
-            "value": "Standard_B12ms"
-        },
-        "skuCapacity": {
-            "value": 1
-        },
-        "upgradePolicyMode": {
-            "value": "Manual"
-        },
-        "vmPriority": {
-            "value": "Regular"
-        },
-        "systemAssignedIdentity": {
-            "value": true
-        },
-        "userAssignedIdentities": {
-            "value": {
-                "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
-            }
-        },
-        "osDisk": {
-            "value": {
-                "createOption": "fromImage",
-                "diskSizeGB": "128",
-                "managedDisk": {
-                    "storageAccountType": "Premium_LRS"
-                }
-            }
-        },
-        "osType": {
-            "value": "Windows"
-        },
-        "encryptionAtHost": {
-            "value": false
-        },
-        "imageReference": {
-            "value": {
-                "publisher": "MicrosoftWindowsServer",
-                "offer": "WindowsServer",
-                "sku": "2016-Datacenter",
-                "version": "latest"
-            }
-        },
-        "adminUsername": {
-            "reference": {
-                "keyVault": {
-                    "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
-                },
-                "secretName": "adminUsername"
-            }
-        },
-        "adminPassword": {
-            "reference": {
-                "keyVault": {
-                    "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
-                },
-                "secretName": "adminPassword"
-            }
-        },
-        "nicConfigurations": {
-            "value": [
-                {
-                    "nicSuffix": "-nic01",
-                    "ipConfigurations": [
-                        {
-                            "name": "ipconfig1",
-                            "properties": {
-                                "subnet": {
-                                    "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002"
-                                }
-                            }
-                        }
-                    ]
-                }
-            ]
-        },
-        "roleAssignments": {
-            "value": [
-                {
-                    "roleDefinitionIdOrName": "Reader",
-                    "principalIds": [
-                        "<<deploymentSpId>>"
-                    ]
-                }
-            ]
-        },
-        "diagnosticLogsRetentionInDays": {
-            "value": 7
-        },
-        "diagnosticStorageAccountId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
-        },
-        "diagnosticWorkspaceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
-        },
-        "diagnosticEventHubAuthorizationRuleId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
-        },
-        "diagnosticEventHubName": {
-            "value": "adp-<<namePrefix>>-az-evh-x-001"
-        },
-        "proximityPlacementGroupResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Compute/proximityPlacementGroups/adp-<<namePrefix>>-az-ppg-vmss-001"
-        },
-        "extensionAntiMalwareConfig": {
-            "value": {
-                "enabled": true,
-                "settings": {
-                    "AntimalwareEnabled": true,
-                    "Exclusions": {
-                        "Extensions": ".log;.ldf",
-                        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
-                        "Processes": "mssence.svc"
-                    },
-                    "RealtimeProtectionEnabled": true,
-                    "ScheduledScanSettings": {
-                        "isEnabled": "true",
-                        "scanType": "Quick",
-                        "day": "7",
-                        "time": "120"
-                    }
-                }
-            }
-        },
-        "extensionMonitoringAgentConfig": {
-            "value": {
-                "enabled": true
-            }
-        },
-        "extensionDependencyAgentConfig": {
-            "value": {
-                "enabled": true
-            }
-        },
-        "extensionNetworkWatcherAgentConfig": {
-            "value": {
-                "enabled": true
-            }
-        },
-        "extensionDiskEncryptionConfig": {
-            "value": {
-                "enabled": true,
-                "settings": {
-                    "EncryptionOperation": "EnableEncryption",
-                    "KeyVaultURL": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/",
-                    "KeyVaultResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
-                    "KeyEncryptionKeyURL": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5", // ID must be updated for new keys
-                    "KekVaultResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
-                    "KeyEncryptionAlgorithm": "RSA-OAEP",
-                    "VolumeType": "All",
-                    "ResizeOSDisk": "false"
-                }
-            }
-        },
-        "extensionDSCConfig": {
-            "value": {
-                "enabled": true
-            }
-        },
-        "extensionCustomScriptConfig": {
-            "value": {
-                "enabled": true,
-                "fileData": [
-                    {
-                        "uri": "https://adp<<namePrefix>>azsax001.blob.core.windows.net/scripts/scriptExtensionMasterInstaller.ps1",
-                        "storageAccountId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
-                    }
-                ],
-                "protectedSettings": {
-                    "commandToExecute": "powershell -ExecutionPolicy Unrestricted -Command \"& .\\scriptExtensionMasterInstaller.ps1\""
-                }
-            }
-        }
-    }
-}
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows/dependencies.bicep b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows/dependencies.bicep
new file mode 100644
index 0000000000..7e55210407
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows/dependencies.bicep
@@ -0,0 +1,166 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+@description('Required. The name of the Key Vault to create.')
+param keyVaultName string
+
+@description('Required. The name of the Storage Account to create.')
+param storageAccountName string
+
+@description('Required. The name of the Deployment Script used to upload data to the Storage Account.')
+param storageUploadDeploymentScriptName string
+
+@description('Required. The name of the Managed Identity to create.')
+param managedIdentityName string
+
+@description('Required. The name of the Proximity Placement Group to create.')
+param proximityPlacementGroupName string
+
+var storageContainerName = 'scripts'
+var storageAccountCSEFileName = 'scriptExtensionMasterInstaller.ps1'
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+    name: virtualNetworkName
+    location: location
+    properties: {
+        addressSpace: {
+            addressPrefixes: [
+                '10.0.0.0/24'
+            ]
+        }
+        subnets: [
+            {
+                name: 'defaultSubnet'
+                properties: {
+                    addressPrefix: '10.0.0.0/24'
+                }
+            }
+        ]
+    }
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
+    name: keyVaultName
+    location: location
+    properties: {
+        sku: {
+            family: 'A'
+            name: 'standard'
+        }
+        tenantId: tenant().tenantId
+        enablePurgeProtection: null
+        enabledForTemplateDeployment: true
+        enabledForDiskEncryption: true
+        enabledForDeployment: true
+        enableRbacAuthorization: true
+        accessPolicies: []
+    }
+
+    resource key 'keys@2022-07-01' = {
+        name: 'encryptionKey'
+        properties: {
+            kty: 'RSA'
+        }
+    }
+}
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+    name: managedIdentityName
+    location: location
+}
+
+resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid(resourceGroup().id, 'Contributor', managedIdentity.id)
+    scope: resourceGroup()
+    properties: {
+        principalId: managedIdentity.properties.principalId
+        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor
+        principalType: 'ServicePrincipal'
+    }
+}
+
+resource msiKVCryptoUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid(keyVault::key.id, 'Key Vault Crypto User', managedIdentity.id)
+    scope: keyVault::key
+    properties: {
+        principalId: managedIdentity.properties.principalId
+        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User
+        principalType: 'ServicePrincipal'
+    }
+}
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
+    name: storageAccountName
+    location: location
+    sku: {
+        name: 'Standard_LRS'
+    }
+    kind: 'StorageV2'
+
+    resource blobService 'blobServices@2021-09-01' = {
+        name: 'default'
+
+        resource container 'containers@2021-09-01' = {
+            name: storageContainerName
+        }
+    }
+}
+
+resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+    name: storageUploadDeploymentScriptName
+    location: location
+    kind: 'AzurePowerShell'
+    identity: {
+        type: 'UserAssigned'
+        userAssignedIdentities: {
+            '${managedIdentity.id}': {}
+        }
+    }
+    properties: {
+        azPowerShellVersion: '9.0'
+        retentionInterval: 'P1D'
+        arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"'
+        scriptContent: loadTextContent('../.scripts/Set-BlobContent.ps1')
+    }
+    dependsOn: [
+        msiRGContrRoleAssignment
+    ]
+}
+
+resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2022-03-01' = {
+    name: proximityPlacementGroupName
+    location: location
+}
+
+@description('The resource ID of the created Virtual Network Subnet.')
+output subnetResourceId string = virtualNetwork.properties.subnets[0].id
+
+@description('The principal ID of the created Managed Identity.')
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
+
+@description('The resource ID of the created Managed Identity.')
+output managedIdentityResourceId string = managedIdentity.id
+
+@description('The resource ID of the created Key Vault.')
+output keyVaultResourceId string = keyVault.id
+
+@description('The URL of the created Key Vault.')
+output keyVaultUrl string = keyVault.properties.vaultUri
+
+@description('The URL of the created Key Vault Encryption Key.')
+output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion
+
+@description('The resource ID of the created Storage Account.')
+output storageAccountResourceId string = storageAccount.id
+
+@description('The URL of the Custom Script Extension in the created Storage Account')
+output storageAccountCSEFileUrl string = '${storageAccount.properties.primaryEndpoints.blob}${storageContainerName}/${storageAccountCSEFileName}'
+
+@description('The name of the Custom Script Extension in the created Storage Account')
+output storageAccountCSEFileName string = storageAccountCSEFileName
+
+@description('The resource ID of the created Proximity Placement Group.')
+output proximityPlacementGroupResourceId string = proximityPlacementGroup.id
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows/deploy.test.bicep
new file mode 100644
index 0000000000..e1e1854857
--- /dev/null
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/.test/windows/deploy.test.bicep
@@ -0,0 +1,179 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.compute.virtualmachinescalesets-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'cvmsswin'
+
+@description('Optional. The password to leverage for the login.')
+@secure()
+param password string = newGuid()
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module resourceGroupResources 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-paramNested'
+  params: {
+    virtualNetworkName: 'dep-<<namePrefix>>-vnet-${serviceShort}'
+    managedIdentityName: 'dep-<<namePrefix>>-msi-${serviceShort}'
+    keyVaultName: 'dep-<<namePrefix>>-kv-${serviceShort}'
+    storageAccountName: 'dep<<namePrefix>>sa${serviceShort}01'
+    storageUploadDeploymentScriptName: 'dep-<<namePrefix>>-sads-${serviceShort}'
+    proximityPlacementGroupName: 'dep-<<namePrefix>>-ppg-${serviceShort}'
+  }
+}
+
+// Diagnostics
+// ===========
+module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnostic.dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-diagnosticDependencies'
+  params: {
+    storageAccountName: 'dep<<namePrefix>>diasa${serviceShort}01'
+    logAnalyticsWorkspaceName: 'dep-<<namePrefix>>-law-${serviceShort}'
+    eventHubNamespaceEventHubName: 'dep-<<namePrefix>>-evh-${serviceShort}'
+    eventHubNamespaceName: 'dep-<<namePrefix>>-evhns-${serviceShort}'
+    location: location
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    adminUsername: 'localAdminUser'
+    imageReference: {
+      offer: 'WindowsServer'
+      publisher: 'MicrosoftWindowsServer'
+      sku: '2016-Datacenter'
+      version: 'latest'
+    }
+    osDisk: {
+      createOption: 'fromImage'
+      diskSizeGB: '128'
+      managedDisk: {
+        storageAccountType: 'Premium_LRS'
+      }
+    }
+    osType: 'Windows'
+    skuName: 'Standard_B12ms'
+    adminPassword: password
+    diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
+    diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
+    diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
+    diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
+    diagnosticLogsRetentionInDays: 7
+    encryptionAtHost: false
+    extensionAntiMalwareConfig: {
+      enabled: true
+      settings: {
+        AntimalwareEnabled: true
+        Exclusions: {
+          Extensions: '.log;.ldf'
+          Paths: 'D:\\IISlogs;D:\\DatabaseLogs'
+          Processes: 'mssence.svc'
+        }
+        RealtimeProtectionEnabled: true
+        ScheduledScanSettings: {
+          day: '7'
+          isEnabled: 'true'
+          scanType: 'Quick'
+          time: '120'
+        }
+      }
+    }
+    extensionCustomScriptConfig: {
+      enabled: true
+      fileData: [
+        {
+          storageAccountId: resourceGroupResources.outputs.storageAccountResourceId
+          uri: resourceGroupResources.outputs.storageAccountCSEFileUrl
+        }
+      ]
+      protectedSettings: {
+        commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./${resourceGroupResources.outputs.storageAccountCSEFileName}"'
+      }
+    }
+    extensionDependencyAgentConfig: {
+      enabled: true
+    }
+    extensionDiskEncryptionConfig: {
+      enabled: true
+      settings: {
+        EncryptionOperation: 'EnableEncryption'
+        KekVaultResourceId: resourceGroupResources.outputs.keyVaultResourceId
+        KeyEncryptionAlgorithm: 'RSA-OAEP'
+        KeyEncryptionKeyURL: resourceGroupResources.outputs.keyVaultEncryptionKeyUrl
+        KeyVaultResourceId: resourceGroupResources.outputs.keyVaultResourceId
+        KeyVaultURL: resourceGroupResources.outputs.keyVaultUrl
+        ResizeOSDisk: 'false'
+        VolumeType: 'All'
+      }
+    }
+    extensionDSCConfig: {
+      enabled: true
+    }
+    extensionMonitoringAgentConfig: {
+      enabled: true
+    }
+    extensionNetworkWatcherAgentConfig: {
+      enabled: true
+    }
+    lock: 'CanNotDelete'
+    nicConfigurations: [
+      {
+        ipConfigurations: [
+          {
+            name: 'ipconfig1'
+            properties: {
+              subnet: {
+                id: resourceGroupResources.outputs.subnetResourceId
+              }
+            }
+          }
+        ]
+        nicSuffix: '-nic01'
+      }
+    ]
+    proximityPlacementGroupResourceId: resourceGroupResources.outputs.proximityPlacementGroupResourceId
+    roleAssignments: [
+      {
+        principalIds: [
+          resourceGroupResources.outputs.managedIdentityPrincipalId
+        ]
+        roleDefinitionIdOrName: 'Reader'
+      }
+    ]
+    skuCapacity: 1
+    systemAssignedIdentity: true
+    upgradePolicyMode: 'Manual'
+    userAssignedIdentities: {
+      '${resourceGroupResources.outputs.managedIdentityResourceId}': {}
+    }
+    vmNamePrefix: 'vmsswinvm'
+    vmPriority: 'Regular'
+  }
+}
diff --git a/modules/Microsoft.Compute/virtualMachineScaleSets/readme.md b/modules/Microsoft.Compute/virtualMachineScaleSets/readme.md
index 0f84bcfeec..a8362ae404 100644
--- a/modules/Microsoft.Compute/virtualMachineScaleSets/readme.md
+++ b/modules/Microsoft.Compute/virtualMachineScaleSets/readme.md
@@ -890,7 +890,7 @@ The following module usage examples are retrieved from the content of the files
 
    >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
 
-<h3>Example 1: Linux Min</h3>
+<h3>Example 1: Linux</h3>
 
 <details>
 
@@ -898,7 +898,7 @@ The following module usage examples are retrieved from the content of the files
 
 ```bicep
 module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/deploy.bicep' = {
-  name: '${uniqueString(deployment().name)}-VirtualMachineScaleSets'
+  name: '${uniqueString(deployment().name)}-test-cvmsslin'
   params: {
     // Required parameters
     adminUsername: 'scaleSetAdmin'
@@ -908,140 +908,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       sku: '18.04-LTS'
       version: 'latest'
     }
-    name: '<<namePrefix>>-scaleset-linux-min-001'
-    osDisk: {
-      createOption: 'fromImage'
-      diskSizeGB: '128'
-      managedDisk: {
-        storageAccountType: 'Premium_LRS'
-      }
-    }
-    osType: 'Linux'
-    skuName: 'Standard_B12ms'
-    // Non-required parameters
-    disablePasswordAuthentication: true
-    nicConfigurations: [
-      {
-        ipConfigurations: [
-          {
-            name: 'ipconfig1'
-            properties: {
-              subnet: {
-                id: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002'
-              }
-            }
-          }
-        ]
-        nicSuffix: '-nic01'
-      }
-    ]
-    publicKeys: [
-      {
-        keyData: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure'
-        path: '/home/scaleSetAdmin/.ssh/authorized_keys'
-      }
-    ]
-  }
-}
-```
-
-</details>
-<p>
-
-<details>
-
-<summary>via JSON Parameter file</summary>
-
-```json
-{
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-  "contentVersion": "1.0.0.0",
-  "parameters": {
-    // Required parameters
-    "adminUsername": {
-      "value": "scaleSetAdmin"
-    },
-    "imageReference": {
-      "value": {
-        "offer": "UbuntuServer",
-        "publisher": "Canonical",
-        "sku": "18.04-LTS",
-        "version": "latest"
-      }
-    },
-    "name": {
-      "value": "<<namePrefix>>-scaleset-linux-min-001"
-    },
-    "osDisk": {
-      "value": {
-        "createOption": "fromImage",
-        "diskSizeGB": "128",
-        "managedDisk": {
-          "storageAccountType": "Premium_LRS"
-        }
-      }
-    },
-    "osType": {
-      "value": "Linux"
-    },
-    "skuName": {
-      "value": "Standard_B12ms"
-    },
-    // Non-required parameters
-    "disablePasswordAuthentication": {
-      "value": true
-    },
-    "nicConfigurations": {
-      "value": [
-        {
-          "ipConfigurations": [
-            {
-              "name": "ipconfig1",
-              "properties": {
-                "subnet": {
-                  "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002"
-                }
-              }
-            }
-          ],
-          "nicSuffix": "-nic01"
-        }
-      ]
-    },
-    "publicKeys": {
-      "value": [
-        {
-          "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure",
-          "path": "/home/scaleSetAdmin/.ssh/authorized_keys"
-        }
-      ]
-    }
-  }
-}
-```
-
-</details>
-<p>
-
-<h3>Example 2: Linux</h3>
-
-<details>
-
-<summary>via Bicep module</summary>
-
-```bicep
-module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/deploy.bicep' = {
-  name: '${uniqueString(deployment().name)}-VirtualMachineScaleSets'
-  params: {
-    // Required parameters
-    adminUsername: 'scaleSetAdmin'
-    imageReference: {
-      offer: 'UbuntuServer'
-      publisher: 'Canonical'
-      sku: '18.04-LTS'
-      version: 'latest'
-    }
-    name: '<<namePrefix>>-scaleset-linux-001'
+    name: '<<namePrefix>>cvmsslin001'
     osDisk: {
       createOption: 'fromImage'
       diskSizeGB: '128'
@@ -1055,7 +922,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
     availabilityZones: [
       '2'
     ]
-    bootDiagnosticStorageAccountName: 'adp<<namePrefix>>azsax001'
+    bootDiagnosticStorageAccountName: '<bootDiagnosticStorageAccountName>'
     dataDisks: [
       {
         caching: 'ReadOnly'
@@ -1074,19 +941,19 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
         }
       }
     ]
-    diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
-    diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
+    diagnosticEventHubAuthorizationRuleId: '<diagnosticEventHubAuthorizationRuleId>'
+    diagnosticEventHubName: '<diagnosticEventHubName>'
     diagnosticLogsRetentionInDays: 7
-    diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
-    diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
+    diagnosticStorageAccountId: '<diagnosticStorageAccountId>'
+    diagnosticWorkspaceId: '<diagnosticWorkspaceId>'
     disablePasswordAuthentication: true
     encryptionAtHost: false
     extensionCustomScriptConfig: {
       enabled: true
       fileData: [
         {
-          storageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
-          uri: 'https://adp<<namePrefix>>azsax001.blob.core.windows.net/scripts/scriptExtensionMasterInstaller.ps1'
+          storageAccountId: '<storageAccountId>'
+          uri: '<uri>'
         }
       ]
       protectedSettings: {
@@ -1100,11 +967,11 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       enabled: true
       settings: {
         EncryptionOperation: 'EnableEncryption'
-        KekVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
+        KekVaultResourceId: '<KekVaultResourceId>'
         KeyEncryptionAlgorithm: 'RSA-OAEP'
-        KeyEncryptionKeyURL: 'https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5'
-        KeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
-        KeyVaultURL: 'https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/'
+        KeyEncryptionKeyURL: '<KeyEncryptionKeyURL>'
+        KeyVaultResourceId: '<KeyVaultResourceId>'
+        KeyVaultURL: '<KeyVaultURL>'
         ResizeOSDisk: 'false'
         VolumeType: 'All'
       }
@@ -1123,7 +990,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
             name: 'ipconfig1'
             properties: {
               subnet: {
-                id: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002'
+                id: '<id>'
               }
             }
           }
@@ -1133,14 +1000,14 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
     ]
     publicKeys: [
       {
-        keyData: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure'
+        keyData: '<keyData>'
         path: '/home/scaleSetAdmin/.ssh/authorized_keys'
       }
     ]
     roleAssignments: [
       {
         principalIds: [
-          '<<deploymentSpId>>'
+          '<managedIdentityPrincipalId>'
         ]
         roleDefinitionIdOrName: 'Reader'
       }
@@ -1150,7 +1017,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
     systemAssignedIdentity: true
     upgradePolicyMode: 'Manual'
     userAssignedIdentities: {
-      '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001': {}
+      '<managedIdentityResourceId>': {}
     }
     vmNamePrefix: 'vmsslinvm'
     vmPriority: 'Regular'
@@ -1183,7 +1050,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       }
     },
     "name": {
-      "value": "<<namePrefix>>-scaleset-linux-001"
+      "value": "<<namePrefix>>cvmsslin001"
     },
     "osDisk": {
       "value": {
@@ -1207,7 +1074,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       ]
     },
     "bootDiagnosticStorageAccountName": {
-      "value": "adp<<namePrefix>>azsax001"
+      "value": "<bootDiagnosticStorageAccountName>"
     },
     "dataDisks": {
       "value": [
@@ -1230,19 +1097,19 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       ]
     },
     "diagnosticEventHubAuthorizationRuleId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
+      "value": "<diagnosticEventHubAuthorizationRuleId>"
     },
     "diagnosticEventHubName": {
-      "value": "adp-<<namePrefix>>-az-evh-x-001"
+      "value": "<diagnosticEventHubName>"
     },
     "diagnosticLogsRetentionInDays": {
       "value": 7
     },
     "diagnosticStorageAccountId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
+      "value": "<diagnosticStorageAccountId>"
     },
     "diagnosticWorkspaceId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
+      "value": "<diagnosticWorkspaceId>"
     },
     "disablePasswordAuthentication": {
       "value": true
@@ -1255,8 +1122,8 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
         "enabled": true,
         "fileData": [
           {
-            "storageAccountId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001",
-            "uri": "https://adp<<namePrefix>>azsax001.blob.core.windows.net/scripts/scriptExtensionMasterInstaller.ps1"
+            "storageAccountId": "<storageAccountId>",
+            "uri": "<uri>"
           }
         ],
         "protectedSettings": {
@@ -1274,11 +1141,11 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
         "enabled": true,
         "settings": {
           "EncryptionOperation": "EnableEncryption",
-          "KekVaultResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
+          "KekVaultResourceId": "<KekVaultResourceId>",
           "KeyEncryptionAlgorithm": "RSA-OAEP",
-          "KeyEncryptionKeyURL": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5",
-          "KeyVaultResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
-          "KeyVaultURL": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/",
+          "KeyEncryptionKeyURL": "<KeyEncryptionKeyURL>",
+          "KeyVaultResourceId": "<KeyVaultResourceId>",
+          "KeyVaultURL": "<KeyVaultURL>",
           "ResizeOSDisk": "false",
           "VolumeType": "All"
         }
@@ -1305,7 +1172,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
               "name": "ipconfig1",
               "properties": {
                 "subnet": {
-                  "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002"
+                  "id": "<id>"
                 }
               }
             }
@@ -1317,7 +1184,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
     "publicKeys": {
       "value": [
         {
-          "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure",
+          "keyData": "<keyData>",
           "path": "/home/scaleSetAdmin/.ssh/authorized_keys"
         }
       ]
@@ -1326,7 +1193,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       "value": [
         {
           "principalIds": [
-            "<<deploymentSpId>>"
+            "<managedIdentityPrincipalId>"
           ],
           "roleDefinitionIdOrName": "Reader"
         }
@@ -1346,7 +1213,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
     },
     "userAssignedIdentities": {
       "value": {
-        "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
+        "<managedIdentityResourceId>": {}
       }
     },
     "vmNamePrefix": {
@@ -1362,30 +1229,25 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
 </details>
 <p>
 
-<h3>Example 3: Windows Min</h3>
+<h3>Example 2: Linux.Min</h3>
 
 <details>
 
 <summary>via Bicep module</summary>
 
 ```bicep
-resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
-  name: 'adp-<<namePrefix>>-az-kv-x-001'
-  scope: resourceGroup('<<subscriptionId>>','validation-rg')
-}
-
 module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/deploy.bicep' = {
-  name: '${uniqueString(deployment().name)}-VirtualMachineScaleSets'
+  name: '${uniqueString(deployment().name)}-test-cvmsslinmin'
   params: {
     // Required parameters
-    adminUsername: kv1.getSecret('adminUsername')
+    adminUsername: 'scaleSetAdmin'
     imageReference: {
-      offer: 'WindowsServer'
-      publisher: 'MicrosoftWindowsServer'
-      sku: '2016-Datacenter'
+      offer: 'UbuntuServer'
+      publisher: 'Canonical'
+      sku: '18.04-LTS'
       version: 'latest'
     }
-    name: '<<namePrefix>>-scaleset-win-min-001'
+    name: '<<namePrefix>>cvmsslinmin001'
     osDisk: {
       createOption: 'fromImage'
       diskSizeGB: '128'
@@ -1393,10 +1255,10 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
         storageAccountType: 'Premium_LRS'
       }
     }
-    osType: 'Windows'
+    osType: 'Linux'
     skuName: 'Standard_B12ms'
     // Non-required parameters
-    adminPassword: kv1.getSecret('adminPassword')
+    disablePasswordAuthentication: true
     nicConfigurations: [
       {
         ipConfigurations: [
@@ -1404,7 +1266,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
             name: 'ipconfig1'
             properties: {
               subnet: {
-                id: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002'
+                id: '<id>'
               }
             }
           }
@@ -1412,6 +1274,12 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
         nicSuffix: '-nic01'
       }
     ]
+    publicKeys: [
+      {
+        keyData: '<keyData>'
+        path: '/home/scaleSetAdmin/.ssh/authorized_keys'
+      }
+    ]
   }
 }
 ```
@@ -1430,23 +1298,18 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
   "parameters": {
     // Required parameters
     "adminUsername": {
-      "reference": {
-        "keyVault": {
-          "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
-        },
-        "secretName": "adminUsername"
-      }
+      "value": "scaleSetAdmin"
     },
     "imageReference": {
       "value": {
-        "offer": "WindowsServer",
-        "publisher": "MicrosoftWindowsServer",
-        "sku": "2016-Datacenter",
+        "offer": "UbuntuServer",
+        "publisher": "Canonical",
+        "sku": "18.04-LTS",
         "version": "latest"
       }
     },
     "name": {
-      "value": "<<namePrefix>>-scaleset-win-min-001"
+      "value": "<<namePrefix>>cvmsslinmin001"
     },
     "osDisk": {
       "value": {
@@ -1458,19 +1321,14 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       }
     },
     "osType": {
-      "value": "Windows"
+      "value": "Linux"
     },
     "skuName": {
       "value": "Standard_B12ms"
     },
     // Non-required parameters
-    "adminPassword": {
-      "reference": {
-        "keyVault": {
-          "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
-        },
-        "secretName": "adminPassword"
-      }
+    "disablePasswordAuthentication": {
+      "value": true
     },
     "nicConfigurations": {
       "value": [
@@ -1480,7 +1338,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
               "name": "ipconfig1",
               "properties": {
                 "subnet": {
-                  "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002"
+                  "id": "<id>"
                 }
               }
             }
@@ -1488,6 +1346,14 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
           "nicSuffix": "-nic01"
         }
       ]
+    },
+    "publicKeys": {
+      "value": [
+        {
+          "keyData": "<keyData>",
+          "path": "/home/scaleSetAdmin/.ssh/authorized_keys"
+        }
+      ]
     }
   }
 }
@@ -1496,30 +1362,25 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
 </details>
 <p>
 
-<h3>Example 4: Windows</h3>
+<h3>Example 3: Windows</h3>
 
 <details>
 
 <summary>via Bicep module</summary>
 
 ```bicep
-resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
-  name: 'adp-<<namePrefix>>-az-kv-x-001'
-  scope: resourceGroup('<<subscriptionId>>','validation-rg')
-}
-
 module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/deploy.bicep' = {
-  name: '${uniqueString(deployment().name)}-VirtualMachineScaleSets'
+  name: '${uniqueString(deployment().name)}-test-cvmsswin'
   params: {
     // Required parameters
-    adminUsername: kv1.getSecret('adminUsername')
+    adminUsername: 'localAdminUser'
     imageReference: {
       offer: 'WindowsServer'
       publisher: 'MicrosoftWindowsServer'
       sku: '2016-Datacenter'
       version: 'latest'
     }
-    name: '<<namePrefix>>-scaleset-win-001'
+    name: '<<namePrefix>>cvmsswin001'
     osDisk: {
       createOption: 'fromImage'
       diskSizeGB: '128'
@@ -1530,12 +1391,12 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
     osType: 'Windows'
     skuName: 'Standard_B12ms'
     // Non-required parameters
-    adminPassword: kv1.getSecret('adminPassword')
-    diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
-    diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
+    adminPassword: '<adminPassword>'
+    diagnosticEventHubAuthorizationRuleId: '<diagnosticEventHubAuthorizationRuleId>'
+    diagnosticEventHubName: '<diagnosticEventHubName>'
     diagnosticLogsRetentionInDays: 7
-    diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
-    diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
+    diagnosticStorageAccountId: '<diagnosticStorageAccountId>'
+    diagnosticWorkspaceId: '<diagnosticWorkspaceId>'
     encryptionAtHost: false
     extensionAntiMalwareConfig: {
       enabled: true
@@ -1559,12 +1420,12 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       enabled: true
       fileData: [
         {
-          storageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
-          uri: 'https://adp<<namePrefix>>azsax001.blob.core.windows.net/scripts/scriptExtensionMasterInstaller.ps1'
+          storageAccountId: '<storageAccountId>'
+          uri: '<uri>'
         }
       ]
       protectedSettings: {
-        commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command \'& .\\scriptExtensionMasterInstaller.ps1\''
+        commandToExecute: '<commandToExecute>'
       }
     }
     extensionDependencyAgentConfig: {
@@ -1574,11 +1435,11 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       enabled: true
       settings: {
         EncryptionOperation: 'EnableEncryption'
-        KekVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
+        KekVaultResourceId: '<KekVaultResourceId>'
         KeyEncryptionAlgorithm: 'RSA-OAEP'
-        KeyEncryptionKeyURL: 'https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5'
-        KeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
-        KeyVaultURL: 'https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/'
+        KeyEncryptionKeyURL: '<KeyEncryptionKeyURL>'
+        KeyVaultResourceId: '<KeyVaultResourceId>'
+        KeyVaultURL: '<KeyVaultURL>'
         ResizeOSDisk: 'false'
         VolumeType: 'All'
       }
@@ -1600,7 +1461,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
             name: 'ipconfig1'
             properties: {
               subnet: {
-                id: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002'
+                id: '<id>'
               }
             }
           }
@@ -1608,11 +1469,11 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
         nicSuffix: '-nic01'
       }
     ]
-    proximityPlacementGroupResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Compute/proximityPlacementGroups/adp-<<namePrefix>>-az-ppg-vmss-001'
+    proximityPlacementGroupResourceId: '<proximityPlacementGroupResourceId>'
     roleAssignments: [
       {
         principalIds: [
-          '<<deploymentSpId>>'
+          '<managedIdentityPrincipalId>'
         ]
         roleDefinitionIdOrName: 'Reader'
       }
@@ -1621,7 +1482,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
     systemAssignedIdentity: true
     upgradePolicyMode: 'Manual'
     userAssignedIdentities: {
-      '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001': {}
+      '<managedIdentityResourceId>': {}
     }
     vmNamePrefix: 'vmsswinvm'
     vmPriority: 'Regular'
@@ -1643,12 +1504,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
   "parameters": {
     // Required parameters
     "adminUsername": {
-      "reference": {
-        "keyVault": {
-          "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
-        },
-        "secretName": "adminUsername"
-      }
+      "value": "localAdminUser"
     },
     "imageReference": {
       "value": {
@@ -1659,7 +1515,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       }
     },
     "name": {
-      "value": "<<namePrefix>>-scaleset-win-001"
+      "value": "<<namePrefix>>cvmsswin001"
     },
     "osDisk": {
       "value": {
@@ -1678,27 +1534,22 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
     },
     // Non-required parameters
     "adminPassword": {
-      "reference": {
-        "keyVault": {
-          "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
-        },
-        "secretName": "adminPassword"
-      }
+      "value": "<adminPassword>"
     },
     "diagnosticEventHubAuthorizationRuleId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
+      "value": "<diagnosticEventHubAuthorizationRuleId>"
     },
     "diagnosticEventHubName": {
-      "value": "adp-<<namePrefix>>-az-evh-x-001"
+      "value": "<diagnosticEventHubName>"
     },
     "diagnosticLogsRetentionInDays": {
       "value": 7
     },
     "diagnosticStorageAccountId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
+      "value": "<diagnosticStorageAccountId>"
     },
     "diagnosticWorkspaceId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
+      "value": "<diagnosticWorkspaceId>"
     },
     "encryptionAtHost": {
       "value": false
@@ -1728,12 +1579,12 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
         "enabled": true,
         "fileData": [
           {
-            "storageAccountId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001",
-            "uri": "https://adp<<namePrefix>>azsax001.blob.core.windows.net/scripts/scriptExtensionMasterInstaller.ps1"
+            "storageAccountId": "<storageAccountId>",
+            "uri": "<uri>"
           }
         ],
         "protectedSettings": {
-          "commandToExecute": "powershell -ExecutionPolicy Unrestricted -Command \"& .\\scriptExtensionMasterInstaller.ps1\""
+          "commandToExecute": "<commandToExecute>"
         }
       }
     },
@@ -1747,11 +1598,11 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
         "enabled": true,
         "settings": {
           "EncryptionOperation": "EnableEncryption",
-          "KekVaultResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
+          "KekVaultResourceId": "<KekVaultResourceId>",
           "KeyEncryptionAlgorithm": "RSA-OAEP",
-          "KeyEncryptionKeyURL": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5",
-          "KeyVaultResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
-          "KeyVaultURL": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/",
+          "KeyEncryptionKeyURL": "<KeyEncryptionKeyURL>",
+          "KeyVaultResourceId": "<KeyVaultResourceId>",
+          "KeyVaultURL": "<KeyVaultURL>",
           "ResizeOSDisk": "false",
           "VolumeType": "All"
         }
@@ -1783,7 +1634,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
               "name": "ipconfig1",
               "properties": {
                 "subnet": {
-                  "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-002"
+                  "id": "<id>"
                 }
               }
             }
@@ -1793,13 +1644,13 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
       ]
     },
     "proximityPlacementGroupResourceId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Compute/proximityPlacementGroups/adp-<<namePrefix>>-az-ppg-vmss-001"
+      "value": "<proximityPlacementGroupResourceId>"
     },
     "roleAssignments": {
       "value": [
         {
           "principalIds": [
-            "<<deploymentSpId>>"
+            "<managedIdentityPrincipalId>"
           ],
           "roleDefinitionIdOrName": "Reader"
         }
@@ -1816,7 +1667,7 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
     },
     "userAssignedIdentities": {
       "value": {
-        "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
+        "<managedIdentityResourceId>": {}
       }
     },
     "vmNamePrefix": {
@@ -1831,3 +1682,122 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl
 
 </details>
 <p>
+
+<h3>Example 4: Windows.Min</h3>
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/deploy.bicep' = {
+  name: '${uniqueString(deployment().name)}-test-cvmsswinmin'
+  params: {
+    // Required parameters
+    adminUsername: 'localAdminUser'
+    imageReference: {
+      offer: 'WindowsServer'
+      publisher: 'MicrosoftWindowsServer'
+      sku: '2016-Datacenter'
+      version: 'latest'
+    }
+    name: '<<namePrefix>>cvmsswinmin001'
+    osDisk: {
+      createOption: 'fromImage'
+      diskSizeGB: '128'
+      managedDisk: {
+        storageAccountType: 'Premium_LRS'
+      }
+    }
+    osType: 'Windows'
+    skuName: 'Standard_B12ms'
+    // Non-required parameters
+    adminPassword: '<adminPassword>'
+    nicConfigurations: [
+      {
+        ipConfigurations: [
+          {
+            name: 'ipconfig1'
+            properties: {
+              subnet: {
+                id: '<id>'
+              }
+            }
+          }
+        ]
+        nicSuffix: '-nic01'
+      }
+    ]
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON Parameter file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    // Required parameters
+    "adminUsername": {
+      "value": "localAdminUser"
+    },
+    "imageReference": {
+      "value": {
+        "offer": "WindowsServer",
+        "publisher": "MicrosoftWindowsServer",
+        "sku": "2016-Datacenter",
+        "version": "latest"
+      }
+    },
+    "name": {
+      "value": "<<namePrefix>>cvmsswinmin001"
+    },
+    "osDisk": {
+      "value": {
+        "createOption": "fromImage",
+        "diskSizeGB": "128",
+        "managedDisk": {
+          "storageAccountType": "Premium_LRS"
+        }
+      }
+    },
+    "osType": {
+      "value": "Windows"
+    },
+    "skuName": {
+      "value": "Standard_B12ms"
+    },
+    // Non-required parameters
+    "adminPassword": {
+      "value": "<adminPassword>"
+    },
+    "nicConfigurations": {
+      "value": [
+        {
+          "ipConfigurations": [
+            {
+              "name": "ipconfig1",
+              "properties": {
+                "subnet": {
+                  "id": "<id>"
+                }
+              }
+            }
+          ],
+          "nicSuffix": "-nic01"
+        }
+      ]
+    }
+  }
+}
+```
+
+</details>
+<p>
diff --git a/modules/Microsoft.Compute/virtualMachines/.test/.scripts/New-SSHKey.ps1 b/modules/Microsoft.Compute/virtualMachines/.test/.scripts/New-SSHKey.ps1
index 44808c3ae4..d12de1c45b 100644
--- a/modules/Microsoft.Compute/virtualMachines/.test/.scripts/New-SSHKey.ps1
+++ b/modules/Microsoft.Compute/virtualMachines/.test/.scripts/New-SSHKey.ps1
@@ -15,5 +15,5 @@ if (-not ($sshKey = Get-AzSshKey -ResourceGroupName $ResourceGroupName | Where-O
 # Write into Deployment Script output stream
 $DeploymentScriptOutputs = @{
     # Requires conversion as the script otherwise returns an object instead of the plain public key string
-    publicKey = ($publicKey | ConvertTo-Json | ConvertFrom-Json).Value
+    publicKey = $publicKey | Out-String
 }
diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux.atmg/dependencies.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux.atmg/dependencies.bicep
index 54adfbd454..8d843a4e6a 100644
--- a/modules/Microsoft.Compute/virtualMachines/.test/linux.atmg/dependencies.bicep
+++ b/modules/Microsoft.Compute/virtualMachines/.test/linux.atmg/dependencies.bicep
@@ -39,7 +39,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
 }
 
 resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid('msi-${resourceGroup().id}-${location}-${managedIdentity.id}-ResourceGroup-Reader-RoleAssignment')
+  name: guid(resourceGroup().id, 'Contributor', managedIdentity.id)
   scope: resourceGroup()
   properties: {
     principalId: managedIdentity.properties.principalId
@@ -59,7 +59,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01'
     }
   }
   properties: {
-    azPowerShellVersion: '6.2.1'
+    azPowerShellVersion: '9.0'
     retentionInterval: 'P1D'
     arguments: ' -SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"'
     scriptContent: loadTextContent('../.scripts/New-SSHKey.ps1')
@@ -80,8 +80,5 @@ resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = {
 @description('The resource ID of the created Virtual Network Subnet')
 output subnetResourceId string = virtualNetwork.properties.subnets[0].id
 
-@description('The resource ID of the created SSH Key')
-output SSHKeyResourceID string = sshKey.id
-
 @description('The Public Key of the created SSH Key')
-output SSHKey string = sshKey.properties.publicKey
+output SSHKeyPublicKey string = sshKey.properties.publicKey
diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux.atmg/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux.atmg/deploy.test.bicep
index c95de415ed..ef103ae589 100644
--- a/modules/Microsoft.Compute/virtualMachines/.test/linux.atmg/deploy.test.bicep
+++ b/modules/Microsoft.Compute/virtualMachines/.test/linux.atmg/deploy.test.bicep
@@ -84,7 +84,7 @@ module testDeployment '../../deploy.bicep' = {
     disablePasswordAuthentication: true
     publicKeys: [
       {
-        keyData: resourceGroupResources.outputs.SSHKey
+        keyData: resourceGroupResources.outputs.SSHKeyPublicKey
         path: '/home/localAdminUser/.ssh/authorized_keys'
       }
     ]
diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux.min/dependencies.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux.min/dependencies.bicep
index 731da6549b..c182f8f2e1 100644
--- a/modules/Microsoft.Compute/virtualMachines/.test/linux.min/dependencies.bicep
+++ b/modules/Microsoft.Compute/virtualMachines/.test/linux.min/dependencies.bicep
@@ -39,7 +39,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
 }
 
 resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid('msi-${resourceGroup().id}-${location}-${managedIdentity.id}-ResourceGroup-Reader-RoleAssignment')
+  name: guid(resourceGroup().id, 'Contributor', managedIdentity.id)
   scope: resourceGroup()
   properties: {
     principalId: managedIdentity.properties.principalId
@@ -59,7 +59,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01'
     }
   }
   properties: {
-    azPowerShellVersion: '6.2.1'
+    azPowerShellVersion: '9.0'
     retentionInterval: 'P1D'
     arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"'
     scriptContent: loadTextContent('../.scripts/New-SSHKey.ps1')
@@ -80,8 +80,5 @@ resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = {
 @description('The resource ID of the created Virtual Network Subnet')
 output subnetResourceId string = virtualNetwork.properties.subnets[0].id
 
-@description('The resource ID of the created SSH Key')
-output SSHKeyResourceID string = sshKey.id
-
 @description('The Public Key of the created SSH Key')
-output SSHKey string = sshKey.properties.publicKey
+output SSHKeyPublicKey string = sshKey.properties.publicKey
diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux.min/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux.min/deploy.test.bicep
index f6eb2b0581..a518ab2b5c 100644
--- a/modules/Microsoft.Compute/virtualMachines/.test/linux.min/deploy.test.bicep
+++ b/modules/Microsoft.Compute/virtualMachines/.test/linux.min/deploy.test.bicep
@@ -83,7 +83,7 @@ module testDeployment '../../deploy.bicep' = {
     disablePasswordAuthentication: true
     publicKeys: [
       {
-        keyData: resourceGroupResources.outputs.SSHKey
+        keyData: resourceGroupResources.outputs.SSHKeyPublicKey
         path: '/home/localAdminUser/.ssh/authorized_keys'
       }
     ]
diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux/dependencies.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux/dependencies.bicep
index 0f5901e0eb..86e0b895b3 100644
--- a/modules/Microsoft.Compute/virtualMachines/.test/linux/dependencies.bicep
+++ b/modules/Microsoft.Compute/virtualMachines/.test/linux/dependencies.bicep
@@ -66,7 +66,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
 }
 
 resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid('msi-${resourceGroup().id}-${location}-${managedIdentity.id}-ResourceGroup-Contributor-RoleAssignment')
+  name: guid(resourceGroup().id, 'Contributor', managedIdentity.id)
   scope: resourceGroup()
   properties: {
     principalId: managedIdentity.properties.principalId
@@ -254,7 +254,7 @@ resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
     }
   }
   properties: {
-    azPowerShellVersion: '3.0'
+    azPowerShellVersion: '9.0'
     retentionInterval: 'P1D'
     arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"'
     scriptContent: loadTextContent('../.scripts/Set-BlobContent.ps1')
@@ -275,7 +275,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01'
     }
   }
   properties: {
-    azPowerShellVersion: '6.2.1'
+    azPowerShellVersion: '9.0'
     retentionInterval: 'P1D'
     arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"'
     scriptContent: loadTextContent('../.scripts/New-SSHKey.ps1')
@@ -335,8 +335,5 @@ output storageAccountCSEFileUrl string = '${storageAccount.properties.primaryEnd
 @description('The name of the Custom Script Extension in the created Storage Account')
 output storageAccountCSEFileName string = storageAccountCSEFileName
 
-@description('The resource ID of the created SSH Key')
-output SSHKeyResourceID string = sshKey.id
-
 @description('The Public Key of the created SSH Key')
-output SSHKey string = sshKey.properties.publicKey
+output SSHKeyPublicKey string = sshKey.properties.publicKey
diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep
index a2710bd5f7..899c34f1c4 100644
--- a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep
+++ b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep
@@ -60,11 +60,6 @@ module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnost
 // Test Execution //
 // ============== //
 
-// resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' existing = {
-//   name: sshKeyName
-//   scope: resourceGroup
-// }
-
 module testDeployment '../../deploy.bicep' = {
   scope: resourceGroup
   name: '${uniqueString(deployment().name)}-test-${serviceShort}'
@@ -202,7 +197,7 @@ module testDeployment '../../deploy.bicep' = {
     monitoringWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
     publicKeys: [
       {
-        keyData: resourceGroupResources.outputs.SSHKey
+        keyData: resourceGroupResources.outputs.SSHKeyPublicKey
         path: '/home/localAdminUser/.ssh/authorized_keys'
       }
     ]
diff --git a/modules/Microsoft.Compute/virtualMachines/.test/windows/dependencies.bicep b/modules/Microsoft.Compute/virtualMachines/.test/windows/dependencies.bicep
index 07e5e40f23..e55490885b 100644
--- a/modules/Microsoft.Compute/virtualMachines/.test/windows/dependencies.bicep
+++ b/modules/Microsoft.Compute/virtualMachines/.test/windows/dependencies.bicep
@@ -63,7 +63,7 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
 }
 
 resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid('msi-${resourceGroup().id}-${location}-${managedIdentity.id}-RG-Contributor-RoleAssignment')
+  name: guid(resourceGroup().id, 'Contributor', managedIdentity.id)
   scope: resourceGroup()
   properties: {
     principalId: managedIdentity.properties.principalId
@@ -251,7 +251,7 @@ resource storageUpload 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
     }
   }
   properties: {
-    azPowerShellVersion: '6.2.1'
+    azPowerShellVersion: '9.0'
     retentionInterval: 'P1D'
     arguments: '-StorageAccountName "${storageAccount.name}" -ResourceGroupName "${resourceGroup().name}" -ContainerName "${storageAccount::blobService::container.name}" -FileName "${storageAccountCSEFileName}"'
     scriptContent: loadTextContent('../.scripts/Set-BlobContent.ps1')