HomeBuild items › App packaging delivery
Build items · Applications

App packaging & delivery

Getting one app installed is easy. Getting a whole catalogue installed reliably, detected correctly, assigned by entitlement and kept patched is where most Intune builds quietly fall apart.

Why this matters

App delivery is where an Intune build stops being configuration and starts being someone's working day. Every administrator has the war stories: a Win32 app the console marks as failed even though it installed fine, because the detection rule checked a path the vendor moved in an update; a finance package assigned to an ad-hoc device group so nobody can say who is actually entitled to it; a fleet of third-party apps still running whatever version was current on the day the estate was built.

The two pains that come up most consistently are exactly those: misconfigured detection rules and unpatched third-party software. The first generates helpdesk tickets indefinitely; the second is an audit finding waiting to happen. And in a zero-touch world the stakes are higher still — a required app that never reports as installed can leave a brand-new device stranded mid-provisioning.

What a good build does

Decolla treats app delivery as a pipeline, not a pile of one-off packages. Installer folders go through a generic ingest pipeline and come out as properly formed Win32 (.intunewin) apps — install command, uninstall command and detection logic all defined from the start, rather than bolted on after the first failure.

Where an application is available through winget or the Microsoft Store, the build can use the newer Store-backed app type instead of hand-packaging. But this is an explicit either/or: Store-backed delivery conflicts with debloat items that remove or unpin the Store, so Decolla surfaces that decision up front and records it in the written plan rather than letting it resurface later as a mystery failure.

Assignment follows a licence-group model — each paid product maps to an Entra ID group, so installation tracks entitlement and nobody has to reverse-engineer an ad-hoc device group to work out who should have what. For keeping it all current, the catalogue includes wiring in a third-party patching service such as Patch My PC or Scappman, so applications stop ageing from the day of the build. Every item lands in the itemised plan with a delivery and reversibility class, and Decolla can roll back its own changes item by item.

Where it bites people

Two failure modes come up again and again.

What's in this section (7 items)

ItemTierDeliveryReversibility
Generic installer-folder ingest pipelineOptionalplatformScriptreverse
Org/role-specific LOB software slotOptionalwin32reverse
Per-product Entra licence-group LOB deployment modelRecommendedwin32reverse
CloudConnect MSI -> Win32 + migrate 7 NETLOGON scriptsOptionalwin32reverse
Winget / Store-backed app deployment (new Store app type)Recommendednativereverse
Third-party app patching (Patch My PC / Scappman)Recommended · Patch My PC/Scappman subscriptionlicensedreverse
Company Portal self-service app catalogue (LOB apps as Available)Standardnativereverse

Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access