Assessment & posture readiness
Before Decolla changes anything in your tenant, it reads. This section is the read-only discovery pass that establishes the before-state the rest of the build is measured against.
Why this matters
Most Intune builds start with an act of faith: that the tenant's identity posture is sound, the Group Policy estate is understood, and the licences on the invoice match the entitlements actually in the tenant. All three assumptions fail routinely. A brownfield AD carries years of accumulated configuration nobody can fully describe; GPOs overlap, contradict, and silently fight the MDM profiles you are about to deploy; and licence-dependent features — Endpoint Privilege Management, Remote Help, Autopatch, Cloud PKI — tend to fail quietly when the entitlement is missing, with no clear error at the point of failure.
There is a second, subtler cost. If nobody records where the tenant started, there is no honest way to demonstrate what the build changed. It's better now is not evidence. A recorded baseline is.
What a good build does
Every item in this section is read-only. Nothing here writes to your tenant, and the scopes each check requests are published before you connect. Decolla's catalogue is journey-ordered, and discovery sits first deliberately: the identity and AD posture scan audits built-in hardening, the Secure Score gauge reads the tenant's current score as the baseline, and the GPO conflict report ingests your own Group Policy backup XML and warns — per catalogue item — where an existing GPO would clash with a policy you are about to select.
The licence and prerequisite readiness check verifies Entra ID P2, Intune Suite/EPM, Remote Help, Autopatch and Cloud PKI entitlements before licence-dependent items are selected, so the itemised plan you approve only contains things your tenant can actually run. And what discovery finds is yours to keep: the before-state on record, in your hands, not locked away in a tool.
Where it bites people
Two failures recur in brownfield tenants.
- The licence gap found mid-deployment. An admin assigns EPM elevation rules or Remote Help, the deployment appears to complete, and the feature simply does not function — because the Intune Suite entitlement was never in the tenant. The failure surfaces as a helpdesk ticket, not an admin-centre warning. Checking entitlements before selection, rather than after failure, is the only clean fix.
- GPO versus MDM conflict. A co-managed estate keeps its GPOs, and a setting delivered by both Group Policy and an Intune profile resolves by precedence rules most teams discover empirically, one ticket at a time. A per-item conflict warning generated from your actual GPO backups turns that archaeology into a checklist you clear before deployment, not after.
Neither problem is exotic. Both are why this section exists — and why it runs first.
What's in this section (6 items)
| Item | Tier | Delivery | Reversibility |
|---|---|---|---|
| AD identity posture scan - built-in hardening audit | Recommended | manual | auto |
| Microsoft Secure Score live gauge (read-only) | Recommended | automation | auto |
| Group Policy Analytics import + migration readiness | Optional | manual | auto |
| GPO Conflict-Report (ingest GPO backup XML, warn per item) | Recommended | manual | auto |
| Audit AD computers' network config to CSV | Optional | platformScript | reverse |
| Licence & prerequisite readiness check | Standard | script | auto |
Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.
See it on a real device.
Decolla is in private build — early-access members see a build defined, deployed and rolled back first.
Get early access