Labeled code block

windows/client-management/mdm/policy-csp-restrictedgroups.md

@@ -138,7 +138,8 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and
 <!--Example-->
 
 Here's an example:
-```
+
+```xml
 <groupmembership>
     <accessgroup desc = "Group1">
         <member name = "S-1-15-6666767-76767676767-666666777"/>
@@ -150,13 +151,18 @@ Here's an example:
     </accessgroup>
 </groupmembership>
 ```
+
 where:
+
 - `<accessgroup desc>` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
+
 - `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
+
 - In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.
 
 > [!NOTE]
 > Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in the previous example.
+
 <!--/Example-->
 <!--Validation-->