Honestly as wide spread as it is, managing group policy sanely is still a challenge I've found - it's very resistant to configuration as code.

Linux has a lot of the pieces but is principally lacking a solid distribution system - in particular a big missing component is the network-based SELinux policy distribution system which you can see some hooks in for the concept of a "policy server" which never eventuated.

SELinux would be a lot more viable if it had a solid way to federate and distribute policy and has some nice features in that regard (i.e. the notion that networked systems can exchange policy tags to preserve tagging across network connections).

> managing group policy sanely is still a challenge I've found - it's very resistant to configuration as code

Imho, this was historically (and continues to be) Microsoft's Achilles heel.

Large parts of the company reflexively wrote features / tooling as manual-first, code-second (or never).

In hindsight, what was missing was a Gates-level memo circa 2000 similar to Amazon's API one: all teams are required to build their configurators to be programmatically exposed.

Unfortunately, I don't think Ballmer was enough of a technologist (and was likely too distracted) to intuit that path not taken.