diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 2d04b0336a..96c9e4ff03 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -138,7 +138,8 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and
Here's an example:
-```
+
+```xml
@@ -150,13 +151,18 @@ Here's an example:
```
+
where:
+
- `` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``.
+
- `` contains the members to add to the group in ``. A member can be specified as a name or as a SID. For best results, use a SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
+
- In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.
> [!NOTE]
> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in the previous example.
+
@@ -177,4 +183,4 @@ The following table describes how this policy setting behaves in different Windo
-
\ No newline at end of file
+