HomeScenarios › 260 decisions
Scenario: decision fatigue

260+ decisions per build

A properly considered Windows build is not one decision. It is hundreds of small ones — and on most fleets, the majority get made by fatigue rather than policy.

The arithmetic nobody says out loud

Write down everything a defensible build actually settles and the list gets long fast. Disk encryption and where the recovery keys live. Local admin handling. Which attack surface reduction rules to enforce and which to audit first. Power behaviour — which is a different answer on a laptop than on a desktop. Whether the OEM's own update tooling belongs on the device, and which OEM that even is. Locale, keyboard, time zone. Drive layout. Whether the hardware can carry memory integrity without breaking something you rely on. Browser baselines. The list goes on.

Each item is quick to state, slow to research, and easy to get subtly wrong. Decolla's catalogue holds 260+ build items across 21 sections — and that number is not padding. It is roughly what "considered" looks like once you stop rounding it down.

Fatigue is a policy engine

Nobody makes decision 187 with the same care they gave decision 7. Somewhere in the second hour, we'll revisit that later quietly becomes the standard, and "leave it as it comes" becomes the fleet's security posture.

Here is the uncomfortable part: the setting you left at its default is still a decision. It just was not yours. It was made by whoever wrote that default, for a generic device, with a different threat model and someone else's fleet in mind. And when a review or an audit surfaces it eighteen months later, the person answering for it is not the default. It is whoever owns the risk — usually the IT manager who signed the build off at 4pm on a Friday.

The settings you never had reason to meet

There is a second problem, and diligence alone does not fix it. Even a careful admin only knows the settings they have already had cause to encounter. Some of the highest-value policies are precisely the ones most people never find: the configuration that ends a recurring helpdesk ticket for good, the hardening option buried three layers deep in a place no sensible person browses for fun.

This is what Decolla's Library is for. It is a set of pre-built, industry-tested policies, scripts and fixes — including the mundane, recurring helpdesk fixes and the hardening steps that belong in the build rather than in a backlog — assembled through Decolla's own mechanisms. The weeks you would spend finding, testing and packaging that yourself happen in seconds.

Curated defaults are not fewer decisions

Decolla does not shrink the list. It changes what each item costs you. The wizard starts by asking what you are actually building — platform, chassis, scenario, make — and a conditional engine filters the 260+ items down to the ones relevant to that answer, then pre-answers everything it can defensibly pre-answer: OEM tooling matched to the make, power settings matched to the chassis, drive strategy, locale, the memory-integrity gate, existing tenant versus new.

So instead of researching 260+ questions, you review sensible answers and change the ones you disagree with. Defining the build takes minutes. To be clear about what that does not mean: Decolla does nothing to the speed of Microsoft's side of enrolment — Intune and Autopilot run at Microsoft's pace, same as always. The time is won in assembly, not installation.

Defaulted is not the same as decided for you

A sceptic's fair worry: swapping fatigue-defaults for vendor-defaults just moves the problem. Which is why nothing in Decolla runs on trust. Every build produces an itemised written plan before anything executes — each item showing how it is delivered and its reversibility class: applies automatically, reversible, or irreversible and flagged as such. You read it. You approve it. Then it runs unattended, in your own Microsoft tenant, with the Graph scopes it requests published in full before you ever connect.

Afterwards, you can roll back any single item or the whole build — covering Decolla's own changes only; it will not pretend to unwind a failed Microsoft install. The decisions stay yours. What changes is that they are made by policy, on purpose, at 9am — not by tiredness at 4pm.

Decolla is a product of The Cloud Platform Ltd, built out of a working UK IT consultancy. It is currently in private build. If the fatigue-default build sounds like your last rollout, the early-access waitlist is below.

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access