diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 7382a66a00..04739b0f9c 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -71,4 +71,4 @@ For more information about this design:
 
 -   For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
 
-**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)
+**Next:** [Domain Isolation Policy Design](domain-isolation-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index accc64084b..efa67c42bc 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -57,4 +57,4 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create
 
 Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
 
-**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+**Next:** [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index 3bd6236176..1be717ce49 100644
--- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -45,4 +45,4 @@ For more info about this design:
 
 -   For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
 
-**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+**Next:** [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index 048a242e05..83f35fe206 100644
--- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -52,4 +52,4 @@ The information that you gather will help you answer the following questions. Th
 
 This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide.
 
-**Next: **[Gathering the Information You Need](gathering-the-information-you-need.md)
+**Next:** [Gathering the Information You Need](gathering-the-information-you-need.md)
diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index e5abd70033..d7bed686fa 100644
--- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -144,4 +144,4 @@ With the other information that you have gathered in this section, this informat
 
 The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
 
-**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+**Next:** [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 45577c869a..0fa1893aa6 100644
--- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -32,4 +32,4 @@ Generally, the task of determining zone membership is not complex, but it can be
 | SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)| 
 | PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary| 
 
-**Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
+**Next:** [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index 8179db1063..d0e345f2c5 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -63,4 +63,4 @@ The following groups were created by using the Active Directory Users and Comput
 
 >**Note:**  If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
 
-**Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
+**Next:** [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index 2330b6ee32..ced058672b 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -67,4 +67,4 @@ The GPO for devices that are running at least Windows Server 2008 should includ
 
 -   If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs.
 
-**Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md)
+**Next:** [Planning Server Isolation Zones](planning-server-isolation-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
index 93dbefc241..5911a0bedc 100644
--- a/windows/security/threat-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -57,4 +57,4 @@ To keep the number of exemptions as small as possible, you have several options:
 
 As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section.
 
-**Next: **[Isolated Domain](isolated-domain.md)
+**Next:** [Isolated Domain](isolated-domain.md)
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index fef8bc41e2..5127569bc4 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -110,5 +110,5 @@ The following groups were created by using the Active Directory Users and Comput
 
 In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
 
-**Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
+**Next:** [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
 
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index 5b0c733db4..cd4b6c6d78 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -37,4 +37,4 @@ Active Directory is another important item about which you must gather informati
 
 -   **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
 
-**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)
+**Next:** [Gathering Information about Your Devices](gathering-information-about-your-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 34b00db3ac..992c8390e8 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -118,4 +118,4 @@ Some of the more common applications and protocols are as follows:
 
 -   **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
 
-**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
+**Next:** [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 79f64faa4e..2feb5a2fd1 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -59,4 +59,4 @@ Whether you use an automatic, manual, or hybrid option to gather the information
 
 This inventory will be critical for planning and implementing your Windows Defender Firewall design.
 
-**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
+**Next:** [Gathering Other Relevant Information](gathering-other-relevant-information.md)
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 7a20dd71a7..5d29784f77 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -82,4 +82,4 @@ Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Ne
 
 Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
 
-**Next: **[Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
+**Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index 65e05e7876..006015b36a 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -48,4 +48,4 @@ Copy the firewall rules for the boundary zone from the GPO that contains the fir
 
 Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
 
-**Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)
+**Next:** [Encryption Zone GPOs](encryption-zone-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index 0820c4aacb..e16a7ecc32 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -50,7 +50,7 @@ Change the action for every inbound firewall rule from **Allow the connection**
 
 Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
 
-**Next: **[Server Isolation GPOs](server-isolation-gpos.md)
+**Next:** [Server Isolation GPOs](server-isolation-gpos.md)
 
  
 
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index 81e55a89ac..e44b50dd82 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -70,4 +70,4 @@ This GPO provides the following rules:
 
 -   A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile.
 
-**Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)
+**Next:** [Isolated Domain GPOs](isolated-domain-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index 4701b4565d..eda2c2ccc5 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -88,4 +88,4 @@ This GPO provides the following rules:
 
     -   Authentication mode is set to **Do not authenticate**.
 
-**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
+**Next:** [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index 6e5fc43ced..bfe618f15f 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -31,5 +31,5 @@ Because so many of the settings and rules for this GPO are common to those in th
 
     >**Important:**  Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device.
 
-**Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)
+**Next:** [Boundary Zone GPOs](boundary-zone-gpos.md)
 
diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
index 7c2bb196ff..bb06dc1bff 100644
--- a/windows/security/threat-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -64,4 +64,4 @@ GPOs for devices running at least Windows Vista and Windows Server 2008 should
 
     >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
 
-**Next: **[Boundary Zone](boundary-zone.md)
+**Next:** [Boundary Zone](boundary-zone.md)
diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index 8c6362f758..9c73c224b9 100644
--- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -38,4 +38,4 @@ Use the following table to determine which Windows Firewall with Advanced Securi
 
 To examine details for a specific design, click the design title at the top of the column in the preceding table.
 
-**Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md)
+**Next:** [Basic Firewall Policy Design](basic-firewall-policy-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index 71ef3b2620..100858ecbe 100644
--- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -59,4 +59,4 @@ When the clients and servers have the certificates available, you can configure
 
 Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell.
 
-**Next: **[Documenting the Zones](documenting-the-zones.md)
+**Next:** [Documenting the Zones](documenting-the-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 0536c63506..0798ba72d5 100644
--- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -43,5 +43,5 @@ Multiple GPOs might be delivered to each group. Which one actually becomes appli
 
 If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific.
 
-**Next: **[Planning Network Access Groups](planning-network-access-groups.md)
+**Next:** [Planning Network Access Groups](planning-network-access-groups.md)
 
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index fb13446ed6..3043878e04 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -38,4 +38,4 @@ For the Woodgrove Bank scenario, access to the devices running SQL Server that s
 
 >**Note:**  Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5.
 
-**Next: **[Planning the GPOs](planning-the-gpos.md)
+**Next:** [Planning the GPOs](planning-the-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index f1977f0234..f42eca057b 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -79,4 +79,4 @@ GPOs for devices running at least Windows Server 2008 should include the follow
 
     >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
 
-**Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
+**Next:** [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index f75466f965..8138bd8ee1 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -55,4 +55,4 @@ The following is a list of the firewall settings that you might consider for inc
 
 -   **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs.
 
-**Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
+**Next:** [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index b00682c8e7..6992965186 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -95,4 +95,4 @@ After you have selected a design and assigned your devices to zones, you can beg
 
 When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
 
-**Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
+**Next:** [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index 46d4138780..a3ca3c4b6e 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -47,4 +47,4 @@ The following component is recommended for this deployment goal:
 
 Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations.
 
-**Next: **[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
+**Next:** [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index d82a578afb..4f5c2b1cb0 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -45,4 +45,4 @@ The following components are required for this deployment goal:
 
 -   **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
 
-**Next: **[Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
+**Next:** [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index 66ddfe63d9..b34c8d48ea 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -49,4 +49,4 @@ The following components are required for this deployment goal:
 
 -   **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
 
-**Next: **[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+**Next:** [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index 015a1f0957..cbdd8e51d9 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -59,4 +59,4 @@ The following components are required for this deployment goal:
 
 -   **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
 
-**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
+**Next:** [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index a22b209144..dbffb1b8f1 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -36,4 +36,4 @@ This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following chan
 
     >**Important:**  Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect.
 
-**Next: **[Planning GPO Deployment](planning-gpo-deployment.md)
+**Next:** [Planning GPO Deployment](planning-gpo-deployment.md)
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index f693d8a70b..b93e884682 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -82,4 +82,4 @@ If Woodgrove Bank wants to implement server isolation without domain isolation,
 
 You do not have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption.
 
-**Next: **[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
+**Next:** [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 8a3e3033be..1eeea3dc76 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -59,4 +59,4 @@ For more info about this design:
 
 -   For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
 
-**Next: **[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
+**Next:** [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)