diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json
index 62bc5d128..060a44633 100644
--- a/workload/arm/deploy-baseline.json
+++ b/workload/arm/deploy-baseline.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "8514367717295350076"
+      "templateHash": "16220838410328199964"
     },
     "name": "AVD Accelerator - Baseline Deployment",
     "description": "AVD Accelerator - Deployment Baseline",
@@ -17542,7 +17542,7 @@
           },
           "publicNetworkAccess": "[if(parameters('deployPrivateEndpointKeyvaultStorage'), createObject('value', 'Disabled'), createObject('value', 'Enabled'))]",
           "networkAcls": "[if(parameters('deployPrivateEndpointKeyvaultStorage'), createObject('value', createObject('bypass', 'AzureServices', 'defaultAction', 'Deny', 'virtualNetworkRules', createArray(), 'ipRules', createArray())), createObject('value', createObject()))]",
-          "privateEndpoints": "[if(parameters('deployPrivateEndpointKeyvaultStorage'), createObject('value', createArray(createObject('name', variables('varWrklKvPrivateEndpointName'), 'subnetResourceId', if(parameters('createAvdVnet'), format('{0}/subnets/{1}', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Networking-{0}', parameters('time'))), '2022-09-01').outputs.virtualNetworkResourceId.value, variables('varVnetPrivateEndpointSubnetName')), parameters('existingVnetPrivateEndpointSubnetResourceId')), 'customNetworkInterfaceName', format('nic-01-{0}', variables('varWrklKvPrivateEndpointName')), 'service', 'vault', 'privateDnsZoneGroup', createObject('privateDNSResourceIds', createArray(if(parameters('createPrivateDnsZones'), reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Networking-{0}', parameters('time'))), '2022-09-01').outputs.KeyVaultDnsZoneResourceId.value, parameters('avdVnetPrivateDnsZoneKeyvaultId'))))))), createObject('value', createArray()))]",
+          "privateEndpoints": "[if(parameters('deployPrivateEndpointKeyvaultStorage'), createObject('value', createArray(createObject('name', variables('varWrklKvPrivateEndpointName'), 'subnetResourceId', if(parameters('createAvdVnet'), format('{0}/subnets/{1}', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Networking-{0}', parameters('time'))), '2022-09-01').outputs.virtualNetworkResourceId.value, variables('varVnetPrivateEndpointSubnetName')), parameters('existingVnetPrivateEndpointSubnetResourceId')), 'customNetworkInterfaceName', format('nic-01-{0}', variables('varWrklKvPrivateEndpointName')), 'service', 'vault', 'privateDnsZoneGroupName', split(reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Networking-{0}', parameters('time'))), '2022-09-01').outputs.KeyVaultDnsZoneResourceId.value, '/')[8], 'privateDnsZoneResourceIds', createArray(if(parameters('createPrivateDnsZones'), reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Networking-{0}', parameters('time'))), '2022-09-01').outputs.KeyVaultDnsZoneResourceId.value, parameters('avdVnetPrivateDnsZoneKeyvaultId')))))), createObject('value', createArray()))]",
           "secrets": "[if(not(equals(parameters('avdIdentityServiceProvider'), 'EntraID')), createObject('value', createArray(createObject('name', 'vmLocalUserPassword', 'value', parameters('avdVmLocalUserPassword'), 'contentType', 'Session host local user credentials'), createObject('name', 'vmLocalUserName', 'value', parameters('avdVmLocalUserName'), 'contentType', 'Session host local user credentials'), createObject('name', 'domainJoinUserName', 'value', parameters('avdDomainJoinUserName'), 'contentType', 'Domain join credentials'), createObject('name', 'domainJoinUserPassword', 'value', parameters('avdDomainJoinUserPassword'), 'contentType', 'Domain join credentials'))), createObject('value', createArray(createObject('name', 'vmLocalUserPassword', 'value', parameters('avdVmLocalUserPassword'), 'contentType', 'Session host local user credentials'), createObject('name', 'vmLocalUserName', 'value', parameters('avdVmLocalUserName'), 'contentType', 'Session host local user credentials'), createObject('name', 'domainJoinUserName', 'value', 'NoUsername', 'contentType', 'Domain join credentials'), createObject('name', 'domainJoinUserPassword', 'value', 'NoPassword', 'contentType', 'Domain join credentials'))))]",
           "tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'), variables('varWorkloadKeyvaultTag'))), createObject('value', union(variables('varAvdDefaultTags'), variables('varWorkloadKeyvaultTag'))))]"
         },
diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep
index 9f6feb90c..29c4eae7e 100644
--- a/workload/bicep/deploy-baseline.bicep
+++ b/workload/bicep/deploy-baseline.bicep
@@ -1229,8 +1229,7 @@ module wrklKeyVault '../../avm/1.0.0/res/key-vault/vault/main.bicep' = {
           ipRules: []
         }
       : {}
-    privateEndpoints: deployPrivateEndpointKeyvaultStorage
-      ? [
+    privateEndpoints: deployPrivateEndpointKeyvaultStorage? [
           {
             name: varWrklKvPrivateEndpointName
             subnetResourceId: createAvdVnet
@@ -1238,13 +1237,12 @@ module wrklKeyVault '../../avm/1.0.0/res/key-vault/vault/main.bicep' = {
               : existingVnetPrivateEndpointSubnetResourceId
             customNetworkInterfaceName: 'nic-01-${varWrklKvPrivateEndpointName}'
             service: 'vault'
-            privateDnsZoneGroup: {
-              privateDNSResourceIds: [
+            privateDnsZoneGroupName: split(networking.outputs.KeyVaultDnsZoneResourceId, '/')[8]
+            privateDnsZoneResourceIds: [
                 createPrivateDnsZones ? networking.outputs.KeyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId
-              ]
-            }
+            ]
           }
-        ]
+      ]
       : []
     secrets: (avdIdentityServiceProvider != 'EntraID')
       ? [
diff --git a/workload/scripts/DSCStorageScripts/1.0.1/DSCStorageScripts.zip b/workload/scripts/DSCStorageScripts/1.0.1/DSCStorageScripts.zip
index 2111475ab..7aa71861e 100644
Binary files a/workload/scripts/DSCStorageScripts/1.0.1/DSCStorageScripts.zip and b/workload/scripts/DSCStorageScripts/1.0.1/DSCStorageScripts.zip differ
diff --git a/workload/scripts/DSCStorageScripts/1.0.1/Script-DomainJoinStorage.ps1 b/workload/scripts/DSCStorageScripts/1.0.1/Script-DomainJoinStorage.ps1
index 95a621f88..dedc11eb4 100644
--- a/workload/scripts/DSCStorageScripts/1.0.1/Script-DomainJoinStorage.ps1
+++ b/workload/scripts/DSCStorageScripts/1.0.1/Script-DomainJoinStorage.ps1
@@ -63,7 +63,7 @@ $ErrorActionPreference = "Stop"
 
 . (Join-Path $ScriptPath "Logger.ps1")
 
-if ($IdentityServiceProvider -ne 'AAD') {
+if ($IdentityServiceProvider -ne 'EntraID') {
 	Write-Log "Forcing group policy updates"
 	gpupdate /force /wait:0
 
@@ -171,7 +171,7 @@ Try {
 	icacls ${DriveLetter}: /remove "BUILTIN\Users"
 	Write-Log "ACLs set"
 	#AVD group permissions
-	if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'AAD') {
+	if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'EntraID') {
 		Write-Log "AD group not provided or using Microsoft Entra ID joined session hosts, ACLs for AD group not set"
 	}
 	else {