fixed conflict

windows/TOC.md

@@ -1,8 +0,0 @@
-# [Windows 10 and Windows 10 Mobile](index.md)
-## [What's new in Windows 10](whats-new/index.md)
-## [Plan for Windows 10 deployment](plan/index.md)
-## [Deploy Windows 10](deploy/index.md)
-## [Configure Windows 10](configure/index.md)
-## [Update Windows 10](update/index.md)
-## [Keep Windows 10 secure](keep-secure/index.md)
-## [Manage Windows 10](manage/index.md)

windows/access-protection/TOC.md

@@ -0,0 +1,190 @@
+# [Access protection](access-control/access-control.md)
+
+## [Access Control Overview](access-control/access-control.md)
+### [Dynamic Access Control Overview](access-control/dynamic-access-control.md)
+### [Security identifiers](access-control/security-identifiers.md)
+### [Security Principals](access-control/security-principals.md)
+### [Local Accounts](access-control/local-accounts.md)
+### [Active Directory Accounts](access-control/active-directory-accounts.md)
+### [Microsoft Accounts](access-control/microsoft-accounts.md)
+### [Service Accounts](access-control/service-accounts.md)
+### [Active Directory Security Groups](access-control/active-directory-security-groups.md)
+### [Special Identities](access-control/special-identities.md)
+
+## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
+
+## [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
+
+## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
+
+## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
+### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
+### [Credential Guard Requirements](credential-guard/credential-guard-requirements.md)
+### [Manage Credential Guard](credential-guard/credential-guard-manage.md)
+### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
+### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
+### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
+
+
+
+## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
+
+## [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md)
+### [How Smart Card Sign-in Works in Windows](smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md)
+#### [Smart Card Architecture](smart-cards/smart-card-architecture.md)
+#### [Certificate Requirements and Enumeration](smart-cards/smart-card-certificate-requirements-and-enumeration.md)
+#### [Smart Card and Remote Desktop Services](smart-cards/smart-card-and-remote-desktop-services.md)
+#### [Smart Cards for Windows Service](smart-cards/smart-card-smart-cards-for-windows-service.md)
+#### [Certificate Propagation Service](smart-cards/smart-card-certificate-propagation-service.md)
+#### [Smart Card Removal Policy Service](smart-cards/smart-card-removal-policy-service.md)
+### [Smart Card Tools and Settings](smart-cards/smart-card-tools-and-settings.md)
+#### [Smart Cards Debugging Information](smart-cards/smart-card-debugging-information.md)
+#### [Smart Card Group Policy and Registry Settings](smart-cards/smart-card-group-policy-and-registry-settings.md)
+#### [Smart Card Events](smart-cards/smart-card-events.md)
+
+### [User Account Control](user-account-control\user-account-control-overview.md)
+#### [How User Account Control works](user-account-control\how-user-account-control-works.md)
+#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
+#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
+
+### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
+### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
+#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md)
+##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-cards\virtual-smart-card-get-started.md)
+##### [Use Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md)
+##### [Deploy Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md)
+##### [Evaluate Virtual Smart Card Security](virtual-smart-cards\virtual-smart-card-evaluate-security.md)
+#### [Tpmvscmgr](virtual-smart-cards\virtual-smart-card-tpmvscmgr.md)
+
+
+## [VPN technical guide](vpn\vpn-guide.md)
+### [VPN connection types](vpn\vpn-connection-type.md)
+### [VPN routing decisions](vpn\vpn-routing.md)
+### [VPN authentication options](vpn\vpn-authentication.md)
+### [VPN and conditional access](vpn\vpn-conditional-access.md)
+### [VPN name resolution](vpn\vpn-name-resolution.md)
+### [VPN auto-triggered profile options](vpn\vpn-auto-trigger-profile.md)
+### [VPN security features](vpn\vpn-security-features.md)
+### [VPN profile options](vpn\vpn-profile-options.md)
+### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
+### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
+
+## [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md)
+### [Isolating Windows Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md)
+### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md)
+### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+### [Windows Firewall with Advanced Security Design Guide](windows-firewall/windows-firewall-with-advanced-security-design-guide.md)
+#### [Understanding the Windows Firewall with Advanced Security Design Process](windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md)
+#### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+##### [Protect Devices from Unwanted Network Traffic](windows-firewall/protect-devices-from-unwanted-network-traffic.md)
+##### [Restrict Access to Only Trusted Devices](windows-firewall/restrict-access-to-only-trusted-devices.md)
+##### [Require Encryption When Accessing Sensitive Network Resources](windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md)
+##### [Restrict Access to Only Specified Users or Computers](windows-firewall/restrict-access-to-only-specified-users-or-devices.md)
+#### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+##### [Basic Firewall Policy Design](windows-firewall/basic-firewall-policy-design.md)
+##### [Domain Isolation Policy Design](windows-firewall/domain-isolation-policy-design.md)
+##### [Server Isolation Policy Design](windows-firewall/server-isolation-policy-design.md)
+##### [Certificate-based Isolation Policy Design](windows-firewall/certificate-based-isolation-policy-design.md)
+#### [Evaluating Windows Firewall with Advanced Security Design Examples](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
+##### [Firewall Policy Design Example](windows-firewall/firewall-policy-design-example.md)
+##### [Domain Isolation Policy Design Example](windows-firewall/domain-isolation-policy-design-example.md)
+##### [Server Isolation Policy Design Example](windows-firewall/server-isolation-policy-design-example.md)
+##### [Certificate-based Isolation Policy Design Example](windows-firewall/certificate-based-isolation-policy-design-example.md)
+#### [Designing a Windows Firewall with Advanced Security Strategy](windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md)
+##### [Gathering the Information You Need](windows-firewall/gathering-the-information-you-need.md)
+###### [Gathering Information about Your Current Network Infrastructure](windows-firewall/gathering-information-about-your-current-network-infrastructure.md)
+###### [Gathering Information about Your Active Directory Deployment](windows-firewall/gathering-information-about-your-active-directory-deployment.md)
+###### [Gathering Information about Your Computers](windows-firewall/gathering-information-about-your-devices.md)
+###### [Gathering Other Relevant Information](windows-firewall/gathering-other-relevant-information.md)
+##### [Determining the Trusted State of Your Computers](windows-firewall/determining-the-trusted-state-of-your-devices.md)
+#### [Planning Your Windows Firewall with Advanced Security Design](windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md)
+##### [Planning Settings for a Basic Firewall Policy](windows-firewall/planning-settings-for-a-basic-firewall-policy.md)
+##### [Planning Domain Isolation Zones](windows-firewall/planning-domain-isolation-zones.md)
+###### [Exemption List](windows-firewall/exemption-list.md)
+###### [Isolated Domain](windows-firewall/isolated-domain.md)
+###### [Boundary Zone](windows-firewall/boundary-zone.md)
+###### [Encryption Zone](windows-firewall/encryption-zone.md)
+##### [Planning Server Isolation Zones](windows-firewall/planning-server-isolation-zones.md)
+##### [Planning Certificate-based Authentication](windows-firewall/planning-certificate-based-authentication.md)
+###### [Documenting the Zones](windows-firewall/documenting-the-zones.md)
+###### [Planning Group Policy Deployment for Your Isolation Zones](windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md)
+####### [Planning Isolation Groups for the Zones](windows-firewall/planning-isolation-groups-for-the-zones.md)
+####### [Planning Network Access Groups](windows-firewall/planning-network-access-groups.md)
+####### [Planning the GPOs](windows-firewall/planning-the-gpos.md)
+######## [Firewall GPOs](windows-firewall/firewall-gpos.md)
+######### [GPO_DOMISO_Firewall](windows-firewall/gpo-domiso-firewall.md)
+######## [Isolated Domain GPOs](windows-firewall/isolated-domain-gpos.md)
+######### [GPO_DOMISO_IsolatedDomain_Clients](windows-firewall/gpo-domiso-isolateddomain-clients.md)
+######### [GPO_DOMISO_IsolatedDomain_Servers](windows-firewall/gpo-domiso-isolateddomain-servers.md)
+######## [Boundary Zone GPOs](windows-firewall/boundary-zone-gpos.md)
+######### [GPO_DOMISO_Boundary](windows-firewall/gpo-domiso-boundary.md)
+######## [Encryption Zone GPOs](windows-firewall/encryption-zone-gpos.md)
+######### [GPO_DOMISO_Encryption](windows-firewall/gpo-domiso-encryption.md)
+######## [Server Isolation GPOs](windows-firewall/server-isolation-gpos.md)
+####### [Planning GPO Deployment](windows-firewall/planning-gpo-deployment.md)
+#### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+#### [Planning to Deploy Windows Firewall with Advanced Security](windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md)
+#### [Implementing Your Windows Firewall with Advanced Security Design Plan](windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md)
+#### [Checklist: Creating Group Policy Objects](windows-firewall/checklist-creating-group-policy-objects.md)
+#### [Checklist: Implementing a Basic Firewall Policy Design](windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md)
+#### [Checklist: Configuring Basic Firewall Settings](windows-firewall/checklist-configuring-basic-firewall-settings.md)
+#### [Checklist: Creating Inbound Firewall Rules](windows-firewall/checklist-creating-inbound-firewall-rules.md)
+#### [Checklist: Creating Outbound Firewall Rules](windows-firewall/checklist-creating-outbound-firewall-rules.md)
+#### [Checklist: Implementing a Domain Isolation Policy Design](windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md)
+##### [Checklist: Configuring Rules for the Isolated Domain](windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md)
+##### [Checklist: Configuring Rules for the Boundary Zone](windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md)
+##### [Checklist: Configuring Rules for the Encryption Zone](windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md)
+##### [Checklist: Configuring Rules for an Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md)
+#### [Checklist: Implementing a Standalone Server Isolation Policy Design](windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md)
+##### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
+##### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
+#### [Checklist: Implementing a Certificate-based Isolation Policy Design](windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md)
+#### [Procedures Used in This Guide](windows-firewall/procedures-used-in-this-guide.md)
+##### [Add Production Devices to the Membership Group for a Zone](windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md)
+##### [Add Test Devices to the Membership Group for a Zone](windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md)
+##### [Assign Security Group Filters to the GPO](windows-firewall/assign-security-group-filters-to-the-gpo.md)
+##### [Change Rules from Request to Require Mode](windows-firewall/change-rules-from-request-to-require-mode.md)
+##### [Configure Authentication Methods](windows-firewall/configure-authentication-methods.md)
+##### [Configure Data Protection (Quick Mode) Settings](windows-firewall/configure-data-protection-quick-mode-settings.md)
+##### [Configure Group Policy to Autoenroll and Deploy Certificates](windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+##### [Configure Key Exchange (Main Mode) Settings](windows-firewall/configure-key-exchange-main-mode-settings.md)
+##### [Configure the Rules to Require Encryption](windows-firewall/configure-the-rules-to-require-encryption.md)
+##### [Configure the Windows Firewall Log](windows-firewall/configure-the-windows-firewall-log.md)
+##### [Configure the Workstation Authentication Certificate Template](windows-firewall/configure-the-workstation-authentication-certificate-template.md)
+##### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+##### [Confirm That Certificates Are Deployed Correctly](windows-firewall/confirm-that-certificates-are-deployed-correctly.md)
+##### [Copy a GPO to Create a New GPO](windows-firewall/copy-a-gpo-to-create-a-new-gpo.md)
+##### [Create a Group Account in Active Directory](windows-firewall/create-a-group-account-in-active-directory.md)
+##### [Create a Group Policy Object](windows-firewall/create-a-group-policy-object.md)
+##### [Create an Authentication Exemption List Rule](windows-firewall/create-an-authentication-exemption-list-rule.md)
+##### [Create an Authentication Request Rule](windows-firewall/create-an-authentication-request-rule.md)
+##### [Create an Inbound ICMP Rule](windows-firewall/create-an-inbound-icmp-rule.md)
+##### [Create an Inbound Port Rule](windows-firewall/create-an-inbound-port-rule.md)
+##### [Create an Inbound Program or Service Rule](windows-firewall/create-an-inbound-program-or-service-rule.md)
+##### [Create an Outbound Port Rule](windows-firewall/create-an-outbound-port-rule.md)
+##### [Create an Outbound Program or Service Rule](windows-firewall/create-an-outbound-program-or-service-rule.md)
+##### [Create Inbound Rules to Support RPC](windows-firewall/create-inbound-rules-to-support-rpc.md)
+##### [Create WMI Filters for the GPO](windows-firewall/create-wmi-filters-for-the-gpo.md)
+##### [Enable Predefined Inbound Rules](windows-firewall/enable-predefined-inbound-rules.md)
+##### [Enable Predefined Outbound Rules](windows-firewall/enable-predefined-outbound-rules.md)
+##### [Exempt ICMP from Authentication](windows-firewall/exempt-icmp-from-authentication.md)
+##### [Link the GPO to the Domain](windows-firewall/link-the-gpo-to-the-domain.md)
+##### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+##### [Open the Group Policy Management Console to IP Security Policies](windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md)
+##### [Open the Group Policy Management Console to Windows Firewall](windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md)
+##### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+##### [Open Windows Firewall with Advanced Security](windows-firewall/open-windows-firewall-with-advanced-security.md)
+##### [Restrict Server Access to Members of a Group Only](windows-firewall/restrict-server-access-to-members-of-a-group-only.md)
+##### [Turn on Windows Firewall and Configure Default Behavior](windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md)
+##### [Verify That Network Traffic Is Authenticated](windows-firewall/verify-that-network-traffic-is-authenticated.md)
+
+## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
+### [How Windows Hello for Business works](hello-for-business/hello-how-it-works.md)
+### [Manage Windows Hello for Business in your organization](hello-for-business/hello-manage-in-organization.md)
+### [Why a PIN is better than a password](hello-for-business/hello-why-pin-is-better-than-password.md)
+### [Prepare people to use Windows Hello](hello-for-business/hello-prepare-people-to-use.md)
+### [Windows Hello and password changes](hello-for-business/hello-and-password-changes.md)
+### [Windows Hello errors during PIN creation](hello-for-business/hello-errors-during-pin-creation.md)
+### [Event ID 300 - Windows Hello successfully created](hello-for-business/hello-event-300.md)
+### [Windows Hello biometrics in the enterprise](hello-for-business/hello-biometrics-in-enterprise.md)

windows/access-protection/access-control/access-control.md

@@ -114,14 +114,14 @@ User rights grant specific privileges and sign-in rights to users and groups in
 
 User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
 
-For more information about user rights, see [User Rights Assignment](user-rights-assignment.md).
+For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/access-user-rights-assignment).
 
 ## Object auditing
 
 
 With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
 
-For more information about auditing, see [Security Auditing Overview](security-auditing-overview.md).
+For more information about auditing, see [Security Auditing Overview](/windows/device-security/auditing/security-auditing-overview).
 
 ## See also
 

windows/access-protection/access-control/active-directory-accounts.md

@@ -176,7 +176,7 @@ Because the Guest account can provide anonymous access, it is a security risk. I
 
 When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access:
 
--   Do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
+-   Do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
 
 -   Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
 
@@ -571,7 +571,7 @@ If the administrators in your environment can sign in locally to managed servers
 
 -   **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections.
 
--   **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](applocker-overview.md).
+-   **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](/windows/device-security/applocker/applocker-overview).
 
 The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
 

windows/access-protection/access-control/active-directory-security-groups.md

@@ -50,7 +50,7 @@ Security groups can provide an efficient way to assign access to resources on yo
 
     For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights **Backup files and directories** and **Restore files and directories** are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group.
 
-    You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](user-rights-assignment.md).
+    You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
 
 -   Assign permissions to security groups for resources.
 
@@ -650,7 +650,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p></td>
+<td><p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p></td>
 </tr>
 </tbody>
 </table>
@@ -672,9 +672,9 @@ Membership can be modified by members of the following groups: the default servi
 
 This security group includes the following changes since Windows Server 2008:
 
--   Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md).
+-   Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services).
 
--   [Remove computer from docking station](remove-computer-from-docking-station.md) was removed in Windows Server 2012 R2.
+-   [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station) was removed in Windows Server 2012 R2.
 
 <table>
 <colgroup>
@@ -722,33 +722,33 @@ This security group includes the following changes since Windows Server 2008:
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege</p>
-<p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
-<p>[Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md): SeRemoteInteractiveLogonRight</p>
-<p>[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
-<p>[Change the system time](change-the-system-time.md): SeSystemTimePrivilege</p>
-<p>[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege</p>
-<p>[Create a pagefile](create-a-pagefile.md): SeCreatePagefilePrivilege</p>
-<p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
-<p>[Create symbolic links](create-symbolic-links.md): SeCreateSymbolicLinkPrivilege</p>
-<p>[Debug programs](debug-programs.md): SeDebugPrivilege</p>
-<p>[Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md): SeEnableDelegationPrivilege</p>
-<p>[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege</p>
-<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p>
-<p>[Increase scheduling priority](increase-scheduling-priority.md): SeIncreaseBasePriorityPrivilege</p>
-<p>[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege</p>
-<p>[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight</p>
-<p>[Manage auditing and security log](manage-auditing-and-security-log.md): SeSecurityPrivilege</p>
-<p>[Modify firmware environment values](modify-firmware-environment-values.md): SeSystemEnvironmentPrivilege</p>
-<p>[Perform volume maintenance tasks](perform-volume-maintenance-tasks.md): SeManageVolumePrivilege</p>
-<p>[Profile system performance](profile-system-performance.md): SeSystemProfilePrivilege</p>
-<p>[Profile single process](profile-single-process.md): SeProfileSingleProcessPrivilege</p>
-<p>[Remove computer from docking station](remove-computer-from-docking-station.md): SeUndockPrivilege</p>
-<p>[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege</p>
-<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p>
-<p>[Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md): SeTakeOwnershipPrivilege</p></td>
+<td><p>[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege</p>
+<p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p>
+<p>[Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight</p>
+<p>[Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
+<p>[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege</p>
+<p>[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege</p>
+<p>[Create a pagefile](/windows/device-security/security-policy-settings/create-a-pagefile): SeCreatePagefilePrivilege</p>
+<p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
+<p>[Create symbolic links](/windows/device-security/security-policy-settings/create-symbolic-links): SeCreateSymbolicLinkPrivilege</p>
+<p>[Debug programs](/windows/device-security/security-policy-settings/debug-programs): SeDebugPrivilege</p>
+<p>[Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege</p>
+<p>[Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege</p>
+<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p>
+<p>[Increase scheduling priority](/windows/device-security/security-policy-settings/increase-scheduling-priority): SeIncreaseBasePriorityPrivilege</p>
+<p>[Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege</p>
+<p>[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight</p>
+<p>[Manage auditing and security log](/windows/device-security/security-policy-settings/manage-auditing-and-security-log): SeSecurityPrivilege</p>
+<p>[Modify firmware environment values](/windows/device-security/security-policy-settings/modify-firmware-environment-values): SeSystemEnvironmentPrivilege</p>
+<p>[Perform volume maintenance tasks](/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks): SeManageVolumePrivilege</p>
+<p>[Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege</p>
+<p>[Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege</p>
+<p>[Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege</p>
+<p>[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege</p>
+<p>[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege</p>
+<p>[Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -870,11 +870,11 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
-<p>[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege</p>
-<p>[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight</p>
-<p>[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege</p>
-<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p></td>
+<td><p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p>
+<p>[Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege</p>
+<p>[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight</p>
+<p>[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege</p>
+<p>[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -2330,7 +2330,7 @@ Members of the Performance Log Users group can manage performance counters, logs
 
 -   Can use all the features that are available to the Performance Monitor Users group.
 
--   Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right.
+-   Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right.
 
     **Warning**  
     If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
@@ -2339,7 +2339,7 @@ Members of the Performance Log Users group can manage performance counters, logs
 
 -   Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
 
-For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
+For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
 
 **Note**  
 This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
@@ -2401,7 +2401,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight</p></td>
+<td><p>[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight</p></td>
 </tr>
 </tbody>
 </table>
@@ -2548,8 +2548,8 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p></td>
+<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -2612,9 +2612,9 @@ This security group has not changed since Windows Server 2008. However, in Windo
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
-<p>[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege</p>
-<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p></td>
+<td><p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p>
+<p>[Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege</p>
+<p>[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -3327,13 +3327,13 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="odd">
 <td><p>Default User Rights</p></td>
-<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
-<p>[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege</p>
-<p>[Change the system time](change-the-system-time.md): SeSystemTimePrivilege</p>
-<p>[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege</p>
-<p>[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege</p>
-<p>[Restore files and directories](restore-files-and-directories.md): Restore files and directories SeRestorePrivilege</p>
-<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p></td>
+<td><p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p>
+<p>[Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege</p>
+<p>[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege</p>
+<p>[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege</p>
+<p>[Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege</p>
+<p>[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege</p>
+<p>[Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege</p></td>
 </tr>
 </tbody>
 </table>

windows/access-protection/access-control/local-accounts.md

@@ -123,7 +123,7 @@ By default, the Guest account is the only member of the default Guests group, wh
 
 When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
 
-When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right.
+When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right.
 
 In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
 
@@ -200,7 +200,7 @@ In addition, UAC can require administrators to specifically approve applications
 
 For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
 
-For more information about UAC, see [User Account Control](user-account-control-overview.md).
+For more information about UAC, see [User Account Control](/windows/access-protection/user-account-control/user-account-control-overview).
 
 The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
 
@@ -224,7 +224,7 @@ The following table shows the Group Policy and registry settings that are used t
 <tr class="odd">
 <td><p>1</p></td>
 <td><p>Policy name</p></td>
-<td><p>[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)</p></td>
+<td><p>[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)</p></td>
 </tr>
 <tr class="even">
 <td><p></p></td>
@@ -239,7 +239,7 @@ The following table shows the Group Policy and registry settings that are used t
 <tr class="even">
 <td><p></p></td>
 <td><p>Policy name</p></td>
-<td><p>[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)</p></td>
+<td><p>[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)</p></td>
 </tr>
 <tr class="odd">
 <td><p></p></td>
@@ -368,7 +368,7 @@ The following table shows the Group Policy settings that are used to deny networ
 <tr class="odd">
 <td><p>1</p></td>
 <td><p>Policy name</p></td>
-<td><p>[Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)</p></td>
+<td><p>[Deny access to this computer from the network](/windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network)</p></td>
 </tr>
 <tr class="even">
 <td><p></p></td>
@@ -384,7 +384,7 @@ The following table shows the Group Policy settings that are used to deny networ
 <tr class="even">
 <td><p></p></td>
 <td><p>Policy name</p></td>
-<td><p>[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)</p></td>
+<td><p>[Deny log on through Remote Desktop Services](/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services)</p></td>
 </tr>
 <tr class="odd">
 <td><p></p></td>

windows/access-protection/access-control/microsoft-accounts.md

@@ -118,7 +118,7 @@ Depending on your IT and business models, introducing Microsoft accounts into yo
 
 ### <a href="" id="bkmk-restrictuse"></a>Restrict the use of the Microsoft account
 
-If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
+If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
 
 The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
 
@@ -151,7 +151,7 @@ Only the owner of the Microsoft account can change the password. Passwords can b
 
 ### <a href="" id="bkmk-restrictappinstallationandusage"></a>Restrict app installation and usage
 
-Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](applocker-overview.md) and [Packaged Apps and Packaged App Installer Rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](/windows/device-security/applocker/applocker-overview) and [Packaged Apps and Packaged App Installer Rules in AppLocker](/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker).
 
 ## See also
 

windows/access-protection/access-control/security-principals.md

@@ -83,7 +83,7 @@ Permissions are different from user rights in that permissions are attached to o
 
 On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
 
-For information about which user rights are available and how they can be implemented, see [User Rights Assignment](user-rights-assignment.md).
+For information about which user rights are available and how they can be implemented, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
 
 ### <a href="" id="bkmk-authn"></a> Security context in authentication
 

windows/access-protection/access-control/special-identities.md

@@ -145,9 +145,9 @@ Any user who accesses the system through a sign-in process has the Authenticated
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Add workstations to domain](add-workstations-to-domain.md): SeMachineAccountPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p></td>
+<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -375,8 +375,8 @@ This group includes all domain controllers in an Active Directory forest. Domain
 </tr>
 <tr class="even">
 <td><p>Default User Rights Assignment</p></td>
-<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p></td>
+<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p></td>
 </tr>
 </tbody>
 </table>
@@ -418,9 +418,9 @@ Membership is controlled by the operating system.
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
-<p>[Act as part of the operating system](act-as-part-of-the-operating-system.md): SeTcbPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p></td>
+<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
+<p>[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -496,14 +496,14 @@ The Local Service account is similar to an Authenticated User account. The Local
 </tr>
 <tr class="even">
 <td><p>Default user rights</p></td>
-<td><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
-<p>[Change the system time](change-the-system-time.md): SeSystemtimePrivilege</p>
-<p>[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege</p>
-<p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
-<p>[Generate security audits](generate-security-audits.md): SeAuditPrivilege</p>
-<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p>
-<p>[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege</p></td>
+<td><p>[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
+<p>[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege</p>
+<p>[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege</p>
+<p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
+<p>[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege</p>
+<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p>
+<p>[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -617,13 +617,13 @@ The Network Service account is similar to an Authenticated User account. The Net
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege</p>
-<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
-<p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
-<p>[Generate security audits](generate-security-audits.md): SeAuditPrivilege</p>
-<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p>
-<p>[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege</p>
-<p>[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege</p></td>
+<td><p>[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege</p>
+<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
+<p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
+<p>[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege</p>
+<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p>
+<p>[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege</p>
+<p>[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -885,8 +885,8 @@ Any service that accesses the system has the Service identity. This identity gro
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
-<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p></td>
+<td><p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
+<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p></td>
 </tr>
 </tbody>
 </table>
@@ -996,8 +996,8 @@ Any user accessing the system through Terminal Services has the Terminal Server
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>
-<td><p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
-<p>[Increase a process working set](increase-a-process-working-set.md): SeIncreaseWorkingSetPrivilege</p></td>
+<td><p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
+<p>[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege</p></td>
 </tr>
 </tbody>
 </table>

windows/access-protection/change-history-for-access-protection.md

@@ -0,0 +1,17 @@
+---
+title: Change history for access protection (Windows 10)
+description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Change history for access protection
+This topic lists new and updated topics in the [Access protection](index.md) documentation.
+
+## March 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|

windows/access-protection/credential-guard/credential-guard-manage.md

@@ -19,7 +19,7 @@ Prefer video? See [Protecting privileged users with Credential Guard](https://mv
 in the Deep Dive into Credential Guard video series.
 
 ## Enable Credential Guard
-Credential Guard can be enabled either by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. 
+Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. 
 The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines.
 
 
@@ -187,7 +187,7 @@ If you have to disable Credential Guard on a PC, you can use the following set o
 > [!NOTE]  
 > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
 
-For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
+For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
 
 <span id="turn-off-with-hardware-readiness-tool" />
 #### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool

windows/access-protection/credential-guard/credential-guard.md

@@ -37,7 +37,7 @@ By enabling Credential Guard, the following features and solutions are provided:
 - [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
 - [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
 - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
-- [Trusted Platform Module](trusted-platform-module-overview.md)
+- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
  
 
 ## See also

windows/access-protection/enterprise-certificate-pinning.md

@@ -5,7 +5,6 @@ ms.author: mstephens
 author: MikeStephens-MS
 description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.  
 manager: alanth
-ms.date: 2016-12-27
 ms.prod: w10
 ms.technology: security
 ms.sitesec: library

windows/access-protection/hello-for-business/hello-and-password-changes.md

@@ -25,7 +25,7 @@ Because you were using **Device A** when you changed your password, the PIN on *
 Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
 
 >[!NOTE]
->This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
+>This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](hello-manage-in-organization.md).
  
 ## How to update Hello after you change your password on another device
 

windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md

@@ -35,7 +35,7 @@ Windows Hello provides many benefits, including:
 
 -   Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords!
 
--   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
+-   Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
 
 ## Where is Microsoft Hello data stored?
 The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.

windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md

@@ -44,7 +44,7 @@ The TPM protects against a variety of known and potential attacks, including PIN
 
 ## PIN can be complex
 
-The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
+The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](hello-manage-in-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
 
 ## What if someone steals the laptop or phone?
 

windows/access-protection/index.md

@@ -0,0 +1,28 @@
+---
+title: Access protection (Windows 10)
+description: Learn more about access protection technologies in Windows 10 and Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Access protection
+
+Learn more about access protection technologies in Windows 10 and Windows 10 Mobile.
+
+| Section | Description |
+|-|-|
+| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
+| [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |
+| [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. |
+| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
+| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
+| [User Account Control](user-account-control/user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
+| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
+| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
+| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
+| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |