Audit week: what exactly is on that machine?
The evidence request doesn't care how good your memory is. This is the week the difference between an intended state and a signed-off record stops being academic.
The question that starts the week
The evidence request lands, and somewhere around item twelve it asks: describe the standard configuration applied to end-user devices, including any hardening, and provide evidence of when it was applied and who approved it.
You are not worried about the machines. You are worried about the word evidence. The estate is probably fine — the problem is proving it, this week, to someone whose job is not to take your word for it.
Reconstruction is not a record
Here is how that question usually gets answered:
- Screenshots of the management portal, taken today, showing what the policy set looks like now.
- An export of assigned configuration profiles — accurate, unreadable, and silent on when anything actually reached a device.
- A build document on the wiki, last edited by someone who has since left.
- Memory. Yours, mostly.
Each of these describes the estate's intended state. None of them is a record of what was deployed, when, and on whose approval. That gap — between here is our current policy set and here is what we built, and here is the sign-off — is exactly the gap an auditor is trained to probe.
The plan you approved is the record
Decolla builds Windows devices through your own Microsoft Intune and Autopilot tenant — and it refuses to run anything until a plan exists.
The wizard defines the build up front: platform, chassis, scenario and make, then configuration, then selection from a curated catalogue of 260+ pre-built, industry-tested items across 21 sections — policies, scripts and fixes, filtered for relevance and defaulted by a conditional engine, so OEM tooling follows the make, power configuration follows the chassis, and hardening is part of the build rather than an afterthought.
The output is an itemised, written plan. Every line states what will be applied, how it will be delivered, and its reversibility class — from automatically reversible through to irreversible, with irreversible items flagged before you approve anything. Nothing runs until you have read the plan and approved it. Then deployment runs unattended, in your tenant.
That document — the itemised plan plus your approval — is the audit artefact. When the evidence request asks what the standard configuration is and who approved it, you are not reconstructing. You are attaching.
What it proves — and what it doesn't
Worth being precise here, because your auditor will be:
- It records the approved build. Everything that was planned and approved to run, item by item, with delivery method and reversibility — a record of intent and sign-off, not a completion report, since an individual Microsoft install can still fail. Rollback — per item or whole build — covers Decolla's own changes only. It will not unwind a failed Microsoft install or anything another tool changed.
- It is not a live inventory. The plan is a record of what was planned and approved to run, not a telemetry feed of the machine's current state. What users install afterwards is a different question, answered by different tooling.
- It runs in your tenant. Decolla operates over your own Intune and Autopilot, and the Graph scopes it requests are published in full before you connect — so the access itself is auditable too.
A record that states its own limits plainly tends to survive scrutiny better than one that claims everything.
Built on the answering side of the table
Decolla is a product of The Cloud Platform Ltd, a working UK IT consultancy — the kind of business that sits on the answering side of these evidence requests, not the asking side. The plan-first design exists because reconstruction from memory is a poor way to spend audit week, and everyone who has done it knows it.
Decolla is currently in private build. If a device build whose paperwork exists as a by-product of doing the build would change your next audit week, the early-access waitlist is open below.
See it on a real device.
Decolla is in private build — early-access members see a build defined, deployed and rolled back first.
Get early access