Information
This security setting determines which subsystems can optionally be started up to support your applications. With this security setting, you can specify as many subsystems to support your applications as your environment demands.
The recommended state for this setting is: Defined:(blank)
POSIX is included with Windows and enabled by default. If you don't need it, leaving it enabled could introduce an additional attack surface to your environment.
Solution
To establish the recommended configuration via GP, set the following UI path to Defined: (blank) :
Computer Configuration\Security Settings\Local Policies\Security Options\System settings: Optional subsystems
Impact:
Removes POSIX compatibility.