Fix links

windows/security/includes/sections/application-application-isolation-overview.md

@@ -15,7 +15,7 @@ The following table lists the edition applicability for all Application Isolatio
 |[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes|
 |[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes|
 |[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|
-|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|
 
 The following table lists the licensing applicability for all Application Isolation features.
 
@@ -27,4 +27,4 @@ The following table lists the licensing applicability for all Application Isolat
 |[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌|
 |[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes|
 |[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes|
-|[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/application.md

@@ -23,4 +23,4 @@ ms.topic: include
 | **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
 | **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
 | **[Windows containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
-| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
+| **[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |

windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md

@@ -12,7 +12,7 @@ The following table lists the edition applicability for all Protecting Your Work
 |[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|
 |[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|
 |[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|
-|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|
 |[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes|
 
 The following table lists the licensing applicability for all Protecting Your Work Information features.
@@ -22,5 +22,5 @@ The following table lists the licensing applicability for all Protecting Your Wo
 |[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes|
 |[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes|
 |[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes|
-|[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)|Yes|Yes|Yes|Yes|Yes|
+|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|Yes|
 |[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes|

windows/security/includes/sections/cloud-services.md

@@ -12,7 +12,7 @@ ms.topic: include
 | **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
 | **[Security baselines](/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
 | **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers. <br><br>With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
-| **[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
+| **[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
 | **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a <br>Microsoft hosted cloud subscription service that supports a zero-trust security model by <br>enabling network isolation of printers, including the Universal Print connector software, from <br>the rest of the organization's resources. |
 
 ## Update

windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md

@@ -9,7 +9,7 @@ The following table lists the edition applicability for all Hardware Root-Of-Tru
 
 |Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:-:|:-:|:-:|:-:|:-:|
-|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|
+|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|
 |[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|
 |[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|
 
@@ -17,6 +17,6 @@ The following table lists the licensing applicability for all Hardware Root-Of-T
 
 |Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:-:|:-:|:-:|:-:|:-:|:-:|
-|[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)|Yes|Yes|Yes|Yes|Yes|
+|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|Yes|
 |[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes|
 |[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md

@@ -13,7 +13,7 @@ The following table lists the edition applicability for all Silicon Assisted Sec
 |[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|
 |[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|
 |[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|
-|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|
 
 The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features.
 
@@ -23,4 +23,4 @@ The following table lists the licensing applicability for all Silicon Assisted S
 |[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes|
 |[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes|
 |[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes|
-|[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)|Yes|Yes|Yes|Yes|Yes|
+|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|Yes|

windows/security/includes/sections/hardware.md

@@ -9,7 +9,7 @@ ms.topic: include
 
 | Security Measures | Features & Capabilities |
 |:---|:---|
-| **[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
+| **[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
 | **[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.<br><br>Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
 | **[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.<br><br>In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
 
@@ -21,4 +21,4 @@ ms.topic: include
 | **[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
 | **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
 | **[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
-| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |