diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index 2ca7e8267c..1eaf9e6b79 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -33,55 +33,55 @@ This event generates when a logon session is created (on destination machine). I
***Event XML:***
-```
--
--
-
- 4624
- 2
- 0
- 12544
- 0
- 0x8020000000000000
-
- 211
-
-
- Security
- WIN-GG82ULGC9GO
-
-
--
- S-1-5-18
- WIN-GG82ULGC9GO$
- WORKGROUP
- 0x3e7
- S-1-5-21-1377283216-344919071-3415362939-500
- Administrator
- WIN-GG82ULGC9GO
- 0x8dcdc
- 2
- User32
- Negotiate
- WIN-GG82ULGC9GO
- {00000000-0000-0000-0000-000000000000}
- -
- -
- 0
- 0x44c
- C:\\Windows\\System32\\svchost.exe
- 127.0.0.1
- 0
- %%1833
- -
- -
- -
- %%1843
- 0x0
- %%1842
-
-
-
+```xml
+
+
+
+
+ 4624
+ 2
+ 0
+ 12544
+ 0
+ 0x8020000000000000
+
+ 211
+
+
+ Security
+ WIN-GG82ULGC9GO
+
+
+
+ S-1-5-18
+ WIN-GG82ULGC9GO$
+ WORKGROUP
+ 0x3e7
+ S-1-5-21-1377283216-344919071-3415362939-500
+ Administrator
+ WIN-GG82ULGC9GO
+ 0x8dcdc
+ 2
+ User32
+ Negotiate
+ WIN-GG82ULGC9GO
+ {00000000-0000-0000-0000-000000000000}
+ -
+ -
+ 0
+ 0x44c
+ C:\\Windows\\System32\\svchost.exe
+ 127.0.0.1
+ 0
+ %%1833
+ -
+ -
+ -
+ %%1843
+ 0x0
+ %%1842
+
+
```
***Required Server Roles:*** None.
@@ -144,17 +144,17 @@ This event generates when a logon session is created (on destination machine). I
## Logon types and descriptions
-| Logon Type | Logon Title | Description |
-|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 2 | Interactive | A user logged on to this computer. |
-| 3 | Network | A user or computer logged on to this computer from the network. |
-| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
-| 5 | Service | A service was started by the Service Control Manager. |
-| 7 | Unlock | This workstation was unlocked. |
-| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
-| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
-| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
-| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
+| Logon Type | Logon Title | Description |
+|:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `2` | `Interactive` | A user logged on to this computer. |
+| `3` | `Network` | A user or computer logged on to this computer from the network. |
+| `4` | `Batch` | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
+| `5` | `Service` | A service was started by the Service Control Manager. |
+| `7` | `Unlock` | This workstation was unlocked. |
+| `8` | `NetworkCleartext` | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
+| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
+| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
+| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.