diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index e8baf340ee..2a1fa44832 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -738,7 +738,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 <dl>
   <dd>
-    <a href="./policy-csp-cryptography.md#CryptographyAllowFipsAlgorithmPolicy" id="CryptographyAllowFipsAlgorithmPolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
+    <a href="./policy-csp-cryptography.md#cryptographyallowfipsalgorithmpolicy" id="CryptographyAllowFipsAlgorithmPolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
   </dd>
   <dd>
     <a href="./policy-csp-cryptography.md#cryptography-tlsciphersuites" id="cryptography-tlsciphersuites">Cryptography/TLSCipherSuites</a>
@@ -4378,7 +4378,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
 -   [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
 -   [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
--   [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#CryptographyAllowFipsAlgorithmPolicy)
+-   [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptographyallowfipsalgorithmpolicy)
 -   [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
 -   [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
 -   [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
@@ -5243,7 +5243,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 -   [Camera/AllowCamera](#camera-allowcamera)
 -   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
--   [Cryptography/AllowFipsAlgorithmPolicy](#CryptographyAllowFipsAlgorithmPolicy)
+-   [Cryptography/AllowFipsAlgorithmPolicy](#cryptographyallowfipsalgorithmpolicy)
 -   [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
 -   [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
 -   [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 4f8489c0d3..0f9793b0a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -93,6 +93,7 @@ The following steps are required to enable this integration:
 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
 
 <span id="server-mma"/>
+
 ### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP 
 
 1.	Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
@@ -107,6 +108,7 @@ The following steps are required to enable this integration:
 Once completed, you should see onboarded servers in the portal within an hour.
 
 <span id="server-proxy"/>
+
 ### Configure server proxy and Internet connectivity settings
  
 - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the <a href="https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway" data-raw-source="[OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway)">OMS Gateway</a>.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 3ffa588f98..4a19677915 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -157,7 +157,7 @@ The service could not contact the external processing servers at that URL.</td>
 <td>17</td>
 <td>Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: <code>variable</code>.</td>
 <td>An error occurred with the Windows telemetry service.</td>
-<td><a href="troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)">Ensure the diagnostic data service is enabled</a>.<br>
+<td><a href="troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled</a>.<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
 </tr>
@@ -208,7 +208,7 @@ Ensure real-time antimalware protection is running properly.</td>
 <td>28</td>
 <td>Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: <code>variable</code>.</td>
 <td>An error occurred with the Windows telemetry service.</td>
-<td><a href="troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled)">Ensure the diagnostic data service is enabled</a>.<br>
+<td><a href="troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled</a>.<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
 </tr>
@@ -249,7 +249,7 @@ If the identifier does not persist, the same machine might appear twice in the p
 <td>34</td>
 <td>Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: <code>variable</code>.</td>
 <td>An error occurred with the Windows telemetry service.</td>
-<td><a href="troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled)">Ensure the diagnostic data service is enabled</a>.<br>
+<td><a href="troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled</a>.<br>
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
 See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
 </tr>
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index a96e4fe4a4..4db5431253 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -160,7 +160,7 @@ This tab is only displayed when an investigation is complete and shows all pendi
 ## Pending actions
 If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image. 
 
-![Image of pending actions](images\pending-actions.png)
+![Image of pending actions](images/pending-actions.png)
 
 When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index a6fcc5d848..200d144ad9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -66,50 +66,50 @@ The following table provides information on the icons used all throughout the po
 
 Icon | Description
 :---|:---
-![ATP logo icon](images\atp-logo-icon.png)| Microsoft Defender ATP logo
-![Alert icon](images\alert-icon.png)| Alert – Indication of an activity correlated with advanced attacks.
-![Detection icon](images\detection-icon.png)| Detection – Indication of a malware threat detection.
-![Active threat icon](images\active-threat-icon.png)| Active threat – Threats actively executing at the time of detection.
-![Remediated icon](images\remediated-icon.png)| Remediated – Threat removed from the machine.
-![Not remediated icon](images\not-remediated-icon.png)| Not remediated – Threat not removed from the machine.
-![Thunderbolt icon](images\atp-thunderbolt-icon.png)| Indicates events that triggered an alert in the **Alert process tree**.
-![Machine icon](images\atp-machine-icon.png)| Machine icon
-![Windows Defender AV events icon](images\atp-windows-defender-av-events-icon.png)| Windows Defender Antivirus events
-![Application Guard events icon](images\atp-Application-Guard-events-icon.png)| Windows Defender Application Guard events
-![Device Guard events icon](images\atp-Device-Guard-events-icon.png)| Windows Defender Device Guard events
-![Exploit Guard events icon](images\atp-Exploit-Guard-events-icon.png)| Windows Defender Exploit Guard events
-![SmartScreen events icon](images\atp-Smart-Screen-events-icon.png)| Windows Defender SmartScreen events
-![Firewall events icon](images\atp-Firewall-events-icon.png)| Windows Firewall events
-![Response action icon](images\atp-respond-action-icon.png)| Response action
-![Process events icon](images\atp-process-event-icon.png)| Process events
-![Network communication events icon](images\atp-network-communications-icon.png)| Network events
-![File observed events icon](images\atp-file-observed-icon.png)| File  events
-![Registry events icon](images\atp-registry-event-icon.png)| Registry events
-![Module load DLL events icon](images\atp-module-load-icon.png)| Load DLL events
-![Other events icon](images\atp-Other-events-icon.png)| Other events
-![Access token modification icon](images\atp-access-token-modification-icon.png)| Access token modification
-![File creation icon](images\atp-file-creation-icon.png)| File creation
-![Signer icon](images\atp-signer-icon.png)| Signer
-![File path icon](images\atp-File-path-icon.png)| File path
-![Command line icon](images\atp-command-line-icon.png)| Command line
-![Unsigned file icon](images\atp-unsigned-file-icon.png)| Unsigned file
-![Process tree icon](images\atp-process-tree.png)| Process tree
-![Memory allocation icon](images\atp-memory-allocation-icon.png)| Memory allocation
-![Process injection icon](images\atp-process-injection.png)| Process injection
-![Powershell command run icon](images\atp-powershell-command-run-icon.png)| Powershell command run
-![Community center icon](images\atp-community-center.png) | Community center 
-![Notifications icon](images\atp-notifications.png) | Notifications
-![No threats found](images\no-threats-found.png) | Automated investigation - no threats found
-![Failed icon](images\failed.png) | Automated investigation - failed
-![Partially remediated icon](images\partially-investigated.png) | Automated investigation - partially investigated
-![Termindated by system](images\terminated-by-system.png) | Automated investigation - terminated by system
-![Pending icon](images\pending.png) | Automated investigation - pending
-![Running icon](images\running.png) | Automated investigation - running
-![Remediated icon](images\remediated.png) | Automated investigation - remediated 
-![Partially investigated icon](images\partially_remediated.png) | Automated investigation - partially remediated
-![Threat insights icon](images\tvm_bug_icon.png) | Threat & Vulnerability Management - threat insights
-![Possible active alert icon](images\tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert 
-![Recommendation insights icon](images\tvm_insight_icon.png) | Threat & Vulnerability Management - recommendation insights
+![ATP logo icon](images/atp-logo-icon.png)| Microsoft Defender ATP logo
+![Alert icon](images/alert-icon.png)| Alert – Indication of an activity correlated with advanced attacks.
+![Detection icon](images/detection-icon.png)| Detection – Indication of a malware threat detection.
+![Active threat icon](images/active-threat-icon.png)| Active threat – Threats actively executing at the time of detection.
+![Remediated icon](images/remediated-icon.png)| Remediated – Threat removed from the machine.
+![Not remediated icon](images/not-remediated-icon.png)| Not remediated – Threat not removed from the machine.
+![Thunderbolt icon](images/atp-thunderbolt-icon.png)| Indicates events that triggered an alert in the **Alert process tree**.
+![Machine icon](images/atp-machine-icon.png)| Machine icon
+![Windows Defender AV events icon](images/atp-windows-defender-av-events-icon.png)| Windows Defender Antivirus events
+![Application Guard events icon](images/atp-Application-Guard-events-icon.png)| Windows Defender Application Guard events
+![Device Guard events icon](images/atp-Device-Guard-events-icon.png)| Windows Defender Device Guard events
+![Exploit Guard events icon](images/atp-Exploit-Guard-events-icon.png)| Windows Defender Exploit Guard events
+![SmartScreen events icon](images/atp-Smart-Screen-events-icon.png)| Windows Defender SmartScreen events
+![Firewall events icon](images/atp-Firewall-events-icon.png)| Windows Firewall events
+![Response action icon](images/atp-respond-action-icon.png)| Response action
+![Process events icon](images/atp-process-event-icon.png)| Process events
+![Network communication events icon](images/atp-network-communications-icon.png)| Network events
+![File observed events icon](images/atp-file-observed-icon.png)| File  events
+![Registry events icon](images/atp-registry-event-icon.png)| Registry events
+![Module load DLL events icon](images/atp-module-load-icon.png)| Load DLL events
+![Other events icon](images/atp-Other-events-icon.png)| Other events
+![Access token modification icon](images/atp-access-token-modification-icon.png)| Access token modification
+![File creation icon](images/atp-file-creation-icon.png)| File creation
+![Signer icon](images/atp-signer-icon.png)| Signer
+![File path icon](images/atp-File-path-icon.png)| File path
+![Command line icon](images/atp-command-line-icon.png)| Command line
+![Unsigned file icon](images/atp-unsigned-file-icon.png)| Unsigned file
+![Process tree icon](images/atp-process-tree.png)| Process tree
+![Memory allocation icon](images/atp-memory-allocation-icon.png)| Memory allocation
+![Process injection icon](images/atp-process-injection.png)| Process injection
+![Powershell command run icon](images/atp-powershell-command-run-icon.png)| Powershell command run
+![Community center icon](images/atp-community-center.png) | Community center 
+![Notifications icon](images/atp-notifications.png) | Notifications
+![No threats found](images/no-threats-found.png) | Automated investigation - no threats found
+![Failed icon](images/failed.png) | Automated investigation - failed
+![Partially remediated icon](images/partially-investigated.png) | Automated investigation - partially investigated
+![Termindated by system](images/terminated-by-system.png) | Automated investigation - terminated by system
+![Pending icon](images/pending.png) | Automated investigation - pending
+![Running icon](images/running.png) | Automated investigation - running
+![Remediated icon](images/remediated.png) | Automated investigation - remediated 
+![Partially investigated icon](images/partially_remediated.png) | Automated investigation - partially remediated
+![Threat insights icon](images/tvm_bug_icon.png) | Threat & Vulnerability Management - threat insights
+![Possible active alert icon](images/tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert 
+![Recommendation insights icon](images/tvm_insight_icon.png) | Threat & Vulnerability Management - recommendation insights
 
 ## Related topics
 - [Understand the Microsoft Defender Advanced Threat Protection portal](use.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
index 504b2e910d..078fc9543d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
@@ -44,7 +44,7 @@ Potential reasons:
 For both cases you should contact Microsoft support at [General Microsoft Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
 [Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
 
-![Image of no subscriptions found](images\atp-no-subscriptions-found.png)
+![Image of no subscriptions found](images/atp-no-subscriptions-found.png)
 
 ## Your subscription has expired
 
@@ -55,14 +55,14 @@ You can choose to renew or extend the license at any point in time. When accessi
 > [!NOTE]
 > For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
 
-![Image of subscription expired](images\atp-subscription-expired.png)
+![Image of subscription expired](images/atp-subscription-expired.png)
 
 ## You are not authorized to access the portal
 
 If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user.
 For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
 
-![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png)
+![Image of not authorized to access portal](images/atp-not-authorized-to-access-portal.png)
 
 ## Data currently isn't available on some sections of the portal
 If the portal dashboard, and other sections show an error message such as "Data currently isn't available":
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index d9e99a0ba8..dc5baed9b0 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -35,7 +35,7 @@ Beginning with Windows 10 version 1607, new functionality was added to Windows 1
 This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
 The Privacy setting is off by default, which hides the details.
 
-![Privacy setting](images\privacy-setting-in-sign-in-options.png)
+![Privacy setting](images/privacy-setting-in-sign-in-options.png)
 
 The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 0666cbac40..1f0c64f9c3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -27,11 +27,11 @@ You can use Microsoft Intune to configure Windows Defender Application Control (
 
 3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.  
 
-   ![Configure profile](images\wdac-intune-create-profile-name.png)
+   ![Configure profile](images/wdac-intune-create-profile-name.png)
 
 4. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**:
 
    - **Application control code intergity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run.  
    - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps.
 
-   ![Configure WDAC](images\wdac-intune-wdac-settings.png)
+   ![Configure WDAC](images/wdac-intune-wdac-settings.png)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
index 5f87fa942d..3cd5fee197 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -61,7 +61,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
 3. Double-click **Turn on Virtualization Based Security**.
 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
 
-   ![Enable HVCI using Group Policy](images\enable-hvci-gp.png)
+   ![Enable HVCI using Group Policy](images/enable-hvci-gp.png)
 
 5. Click **Ok** to close the editor.