> managing group policy sanely is still a challenge I've found - it's very resistant to configuration as code

Imho, this was historically (and continues to be) Microsoft's Achilles heel.

Large parts of the company reflexively wrote features / tooling as manual-first, code-second (or never).

In hindsight, what was missing was a Gates-level memo circa 2000 similar to Amazon's API one: all teams are required to build their configurators to be programmatically exposed.

Unfortunately, I don't think Ballmer was enough of a technologist (and was likely too distracted) to intuit that path not taken.