Autopilot + ESP: The Deployment Pattern That Actually Survives Contact With Real Users

If you’re still PXE-booting laptops in the back room in 2026, you owe your techs a better life. Windows Autopilot with a properly configured Enrollment Status Page (ESP) is the MSP deployment pattern that scales — but only if you stop treating ESP as a tick-box and start treating it as the gate that enforces your security posture before the user ever sees a desktop. Here’s the deploy-it-well version.

Prerequisites People Miss

Business Premium gets you the licensing — Entra ID P1, Intune, and Windows 11 Pro/Enterprise entitlements. The bits that actually bite:

Automatic MDM enrollment must be on. Entra admin center → Mobility (MDM and WIP) → Microsoft Intune → MDM user scope = All (or a group). Miss this and the device joins Entra but never enrols into Intune, and the ESP just hangs.
Hardware hash registration path. For anything beyond a one-off, get the reseller to register devices to your tenant at purchase. Manual CSV uploads at OOBE are fine for a test VM; they’re a tax on your L1 team in production.
TPM 2.0 + device attestation are non-negotiable for self-deploying and pre-provisioning scenarios. VMs won’t cut it, and attestation needs outbound HTTPS to vendor-specific endpoints.
Cloud-native over hybrid join. Microsoft’s own guidance is explicit: deploy new devices as Entra-joined. If you’re still standing up the Intune Connector for AD in 2026, have a very good reason written down.

Full list: Windows Autopilot requirements.

Where To Configure

Everything lives in the Microsoft Intune admin center. Two paths you’ll wear out:

Deployment profile — Devices → Windows → Device onboarding → Enrollment → Windows Autopilot → Deployment Profiles → Create profile → Windows PC. User-driven, Entra-joined, Standard user account type, hide EULA and privacy settings, set a device name template, allow pre-provisioned deployment.
ESP profile — Devices → Device onboarding → Enrollment → Windows tab → Enrollment Status Page → Create. Do not edit the default “All users and all devices” profile — create your own and give it a higher priority.

References: Configure Windows Autopilot profiles and Set up the Enrollment Status Page.

The Rollout Pattern That Works

Three rings, same as your update rings. Don’t skip this.

Pilot (IT / internal). Loose ESP — Block device use = No, timeout 90 minutes, log collection on. You want visibility, not gates.
Early adopters. ESP enforced at the device phase only. Block device use = Yes, timeout 60 minutes, custom error message with your service desk number. Turn off the User / Account Setup phase — the overwhelming majority of ESP failures happen there, and device-targeted apps have already installed by that point.
Production. Lock it. Required blocking apps = your EDR (Defender), BitLocker initiation, and one small “canary” Win32 app that proves apps are actually flowing. No more than five blocking apps total.

Assign both profiles to a dynamic device group filtered on (device.devicePhysicalIDs -any _ -contains "[ZTDId]") so Autopilot-registered devices land automatically.

Top Pitfalls

Too many blocking apps. Every blocking app is a potential ESP timeout. Keep it to security essentials; let the rest stream in post-desktop via required assignments.
User-phase ESP left enabled. User-targeted apps plus Known Folder Move plus OneDrive sync at first login is a timeout factory. Disable the account setup phase unless you have a specific, measured reason to keep it.
Dynamic group latency. Group membership can take minutes to evaluate and devices race ahead of policy. Mitigation: move to Autopilot device preparation (enrollment-time grouping) for new greenfield tenants, or accept the ring-one pilot friction as the cost of dynamic groups.

For the broader lifecycle picture, start at Overview of Windows Autopilot.

Deploy it once, deploy it tight, and your zero-touch goes from aspirational to boring — which is exactly what production should be.

If I had fun, it’s sustainable. And that’s the real game.

Most MSPs I speak to are exhausted.

They’re exhausted from chasing the next tool, the next framework, the next silver bullet that’s meant to “fix” their business. They’re exhausted from content they feel obligated to create, services they feel pressured to offer, and noise they feel they must contribute to just to stay relevant.

So let me offer a much simpler filter. One that’s kept me sane, productive, and moving forward for a long time.

If I had fun, it’s sustainable. I’ll do it forever.
If it’s useful, I’m adding value, not contributing to the noise.
If I learn something, it’ll get better and better.

Do those three things consistently and, over the long term, you cannot lose.

Fun isn’t fluff — it’s fuel

“Fun” gets a bad rap in business. It’s often dismissed as unprofessional or indulgent. But fun isn’t about mucking around. Fun is energy. It’s momentum. It’s the difference between something you force yourself to do and something you keep coming back to.

If you dread writing content, you won’t do it consistently.
If you hate delivering a service, you’ll eventually resent your customers.
If you’re bored by your own business, burnout is guaranteed.

Sustainability doesn’t come from discipline alone. It comes from enjoyment. The things you genuinely enjoy are the things you’ll refine, improve, and stick with when motivation dips — and it always does.

MSPs who last aren’t the ones who “work the hardest”. They’re the ones who build a business they don’t secretly want to escape from.

Useful beats loud. Every time.

The internet doesn’t need more hot takes, recycled vendor slides, or AI‑generated waffle pretending to be insight.

Your customers don’t need more noise either.

Useful content and services do one thing well: they help someone move forward. They answer a real question. They reduce confusion. They remove friction. They save time, money, or stress.

That’s value.

If what you’re producing wouldn’t genuinely help one of your own customers tomorrow, stop. Don’t publish it. Don’t sell it. Don’t build it just because “everyone else is”.

Being useful compounds. Noise disappears.

Learning is the unfair advantage

Here’s the part most people miss.

When you’re having fun and being useful, learning becomes automatic.

You notice gaps.
You spot patterns.
You refine your thinking.

Each iteration gets slightly better than the last. Your writing improves. Your delivery sharpens. Your positioning clarifies. Your confidence grows — not from hype, but from competence.

This is how authority is actually built. Not by claiming expertise, but by accumulating it through repetition and reflection.

MSPs who keep learning don’t panic when tools change. They understand principles. They adapt faster because they’ve already done the thinking.

Consistency beats optimisation

Everyone wants the “right” strategy. The perfect offer. The ideal funnel.

But long‑term success doesn’t come from perfect planning. It comes from consistent execution guided by simple rules.

Ask yourself:

Did I enjoy doing this?
Did it genuinely help someone?
Did I learn something along the way?

If the answer is yes to all three, keep going. You’re on the right path.

You don’t need to win today. You just need to avoid losing over time.

And if you build a business where you’re having fun, adding value, and getting better every iteration?

That’s not just sustainable.

That’s unstoppable.

Attack Surface Reduction Rules in Microsoft 365 Business Premium: A Practical Deep Dive

If you manage Business Premium tenants for SMB clients, Attack Surface Reduction (ASR) rules are arguably the highest-leverage defensive control you’re not fully exploiting. They ship with Defender for Business (included in Business Premium), they cost nothing extra to enable, and they block the precise behaviours that commodity ransomware and living-off-the-land attacks depend on — Office spawning child processes, Win32 API calls from macros, credential theft from LSASS, and PSExec-style lateral movement. This post assumes you already know what ASR is. The goal here is to help L2/L3 engineers deploy it without breaking line-of-business apps.

Prerequisites the documentation underplays

ASR has hard dependencies that silently downgrade rules to “not configured” if missed. Microsoft Defender Antivirus must be the active AV (not passive, not disabled by a third-party product), real-time protection must be on, and cloud-delivered protection must be on — several rules won’t evaluate without cloud lookups. Verify these under Microsoft Defender portal → Endpoints → Configuration management → Device configuration, and confirm the device shows as “Active” in the device inventory. Tamper Protection must also be enabled tenant-wide; without it, local admins or malware can disable ASR in seconds.

Where to configure in Business Premium

Business Premium gives you two supported paths. The simplified experience lives at security.microsoft.com → Device configuration → Next-generation protection / Firewall, but ASR rules specifically are configured through Intune. In the Microsoft Intune admin center, go to Endpoint security → Attack surface reduction and create an “Attack surface reduction rules” profile targeting Windows 10/11. Avoid mixing this with legacy Endpoint Protection templates or Group Policy — conflicting sources result in the classic “last writer wins” behaviour, and you will spend hours chasing phantom rules. If a device is co-managed or has stale GPOs, check Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational (event IDs 1121, 1122, 5007) to confirm which source applied.

The rollout pattern that works

Do not flip rules straight to Block. The proven pattern is: enable every rule in Audit mode, leave it for two to four weeks, then review the ASR report at security.microsoft.com → Reports → Attack surface reduction rules. Filter by rule and by device, identify the noisy ones, and build per-rule exclusions before switching to Block. Where available, use Warn mode as a staged step — the user gets a toast and can unblock once, which is invaluable for finance teams running macro-heavy spreadsheets. Warn mode is Windows 10 1809+ only; older builds silently treat it as Block.

Start with the “standard protection” set Microsoft recommends: Block credential stealing from LSASS, Block abuse of exploited vulnerable signed drivers, and Block persistence through WMI event subscription. These have the lowest false-positive rate and the highest return. The two rules that most commonly break things are “Block Office applications from creating child processes” (breaks legitimate mail-merge and older add-ins) and “Block executable content from email client and webmail” (breaks zipped installers).

Pitfalls to pre-empt

Exclusions are path-based and case-sensitive on the file name portion — wildcards work on folders, not extensions. Per-rule exclusions (added in later releases) are preferred over global Defender exclusions; use them so you don’t inadvertently hole-punch the whole AV. If a rule appears to do nothing, check whether the device is in EDR block mode and whether Defender is the active AV — ASR is silently disabled under third-party AV. Finally, ASR events do not always surface as alerts; plumb them into your SIEM via the Defender API or Advanced Hunting (DeviceEvents where ActionType startswith "Asr").

References

CIA Brief 20260502

Microsoft 365 Copilot & AI Agents

Microsoft 365 E7 and Agent 365 are now generally available (1 May) — Microsoft’s new top-tier M365 SKU and the Agent 365 platform have moved to general availability. https://techcommunity.microsoft.com/blog/microsoft_365blog/microsoft-365-e7-and-agent-365-are-now-generally-available/4516295(opens in new window)
Copilot in Outlook — new agentic experiences for email and calendar (27 Apr) — New agent-driven capabilities in Outlook to autonomously triage email and manage calendar tasks. https://techcommunity.microsoft.com/blog/outlook/copilot-in-outlook-new-agentic-experiences-for-email-and-calendar/4514601(opens in new window)
GPT-5.5 Thinking and ChatGPT Images 2.0 in Microsoft 365 Copilot (27 Apr) — Both new OpenAI models are available today inside M365 Copilot, adding deeper reasoning and updated image generation. https://techcommunity.microsoft.com/blog/microsoft365copilotblog/available-today-gpt-5-5-thinking-and-chatgpt-images-2-0-in-microsoft-365-copilot/4514243(opens in new window)

Microsoft 365 Apps & Productivity

Get more out of Microsoft Clipchamp with these little-known features (1 May) — Tips on under-used Clipchamp features for video editing inside M365. https://techcommunity.microsoft.com/blog/microsoft365insiderblog/get-more-out-of-microsoft-clipchamp-with-these-little%E2%80%91known-features/4514855(opens in new window)
Microsoft 365 Backup — granular restore now GA (29 Apr) — Item-level / granular restore is now generally available in the M365 Backup service. https://techcommunity.microsoft.com/blog/microsoft_365blog/microsoft-365-backup-granular-restore-now-generally-available/4515936(opens in new window)
Converse naturally across languages with consecutive interpretation (25 Apr) — New M365 Insider feature delivering live consecutive interpretation between speakers. https://techcommunity.microsoft.com/blog/Microsoft365InsiderBlog/converse-naturally-across-languages-with-consecutive-interpretation/4514327(opens in new window)

Security & Defender

Enterprise Security Assessment — a strategic lens for mission-critical environments (30 Apr) — Framework for assessing security posture in mission-critical workloads. https://techcommunity.microsoft.com/blog/microsoftmissioncriticalblog/enterprise-security-assessment-a-strategic-lens-for-mission-critical-environment/4515991(opens in new window)
EDR coexistence by design — a practical starting point to Defender (30 Apr) — Guidance on running Microsoft Defender alongside third-party EDR tools during transition. https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/edr-coexistence-by-design-a-practical-starting-point-to-defender/4515265(opens in new window)
Email threat landscape Q1 2026 — trends and insights (30 Apr) — Microsoft’s quarterly report on phishing, BEC and email-borne attack trends. https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/(opens in new window)
Granular email content access with unified RBAC — now default for new Defender for Office 365 tenants (29 Apr) — New tenants get the granular RBAC model by default for controlling who can read email content during investigations. https://techcommunity.microsoft.com/blog/MicrosoftDefenderforOffice365Blog/granular-email-content-access-with-unified-rbac-%E2%80%93-now-the-default-for-new-defend/4505344(opens in new window)

Identity (Microsoft Entra)

You can’t govern what you can’t see — closing the identity visibility gap for apps (30 Apr) — Entra capabilities to discover and govern app identities that are typically invisible to admins. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/you-can%E2%80%99t-govern-what-you-can%E2%80%99t-see-closing-the-identity-visibility-gap-for-apps/4507464(opens in new window)

Microsoft Sentinel

What’s new in Microsoft Sentinel — April 2026 (1 May) — Monthly roundup of feature updates, connectors, and detection improvements in Sentinel. https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/what%E2%80%99s-new-in-microsoft-sentinel-april-2026/4516354(opens in new window)

Exchange Online

Deprecating legacy TLS and endpoints for POP and IMAP in Exchange Online (27 Apr) — Timeline and impact for the retirement of legacy TLS versions and older POP/IMAP endpoints. https://techcommunity.microsoft.com/blog/exchange/deprecating-legacy-tls-and-endpoints-for-pop-and-imap-in-exchange-online/4515201(opens in new window)

Corporate / Earnings

Microsoft FY26 Q3 earnings — press release & webcast (29 Apr) — Microsoft’s third-quarter FY26 financial results announcement page. https://www.microsoft.com/en-us/Investor/earnings/FY-2026-Q3/press-release-webcast

After hours

Starship – Test like you Fly – https://www.youtube.com/watch?v=ANe_HW4X8oc

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

Why So Many MSPs Never Scale (And It’s Not the Market)

TONS of businesses never scale, and it’s rarely because the market is too competitive, margins are too thin, or clients are too demanding.

Most of the time, it’s because the owner can’t get a grip on their own issues.

In the MSP world, this shows up in a very specific way: the owner sees themselves AS the business.

Not running the business.
Not owning the business.
But being the business.

And that’s where scaling quietly dies.

When You Are the Business, Everything Is Personal

If your identity is welded to your MSP, every problem hits harder than it should.

A client complaint isn’t feedback — it’s an attack.
A staff mistake isn’t a process gap — it’s proof you’re failing.
A slow month isn’t normal variance — it’s existential panic.

So what happens?

You micromanage.
You hoard decisions.
You jump back into tech work “just to be safe”.
You delay hiring because no one can do it “as well as you”.

From the outside, it looks like dedication.
From the inside, it’s fear dressed up as responsibility.

And fear does not scale.

Separation Is the First Real Growth Lever

The moment things start to change is when you separate who you are from what your business does.

This isn’t about being cold or detached.
It’s about creating space.

When your MSP is something you own — not something you are — a few important things happen:

• You ride highs and lows better
• You think more calmly
• You make better decisions

Why? Because problems stop being personal.

A bad quarter becomes a data point.
A client loss becomes a signal.
A broken process becomes… a process to fix.

Not a judgement on your worth.

That emotional distance is not weakness. It’s leverage.

Calm Thinking Beats Heroic Effort Every Time

Most MSP owners think scaling is about working harder, being smarter, or “just pushing through”.

In reality, scaling is mostly about not panicking.

Panicked businesses make short‑term decisions:

Discounting to win the wrong clients
Delaying price rises they know are overdue
Overloading good staff because hiring feels risky
Chasing every opportunity instead of choosing the right ones

Calm businesses do the opposite.

They design roles instead of reacting to gaps.
They document because they expect people to follow systems.
They invest because they’re planning for the future, not bracing for impact.

Calm comes from separation. Separation comes from identity clarity.

Scarcity Is an Identity Problem

Here’s the uncomfortable truth: most “scaling problems” are actually scarcity problems.

And scarcity almost always lives in the owner’s head.

If you believe:

“Clients are hard to replace”
“Good staff are impossible to find”
“If I stop doing this myself, it will fall apart”

Then every decision is defensive.

But when you stop seeing your MSP as a reflection of you, something shifts.

You start approaching growth from abundance instead of panicked scarcity.

You realise:

Clients come and go — systems remain
Staff are attracted to clarity, not chaos
Your job is to build the machine, not be the machine

That’s when scaling stops being stressful and starts being strategic.

The Business Is the Product — Not You

If your MSP can’t function without your constant presence, you don’t have a business. You have a very demanding job.

Real scale begins when the business becomes something that can be observed, improved, and grown — independently of your mood, energy, or ego.

Detach your identity.
Build with intention.
Lead with calm.

That’s how MSPs actually scale.

Not louder.
Not faster.
But clearer.

Building Conditional Access That Actually Works: Requiring Intune‑Compliant Devices

Requiring Intune‑compliant devices via Conditional Access is one of the most impactful controls available to Microsoft 365 Business Premium tenants. It’s also one of the easiest ways to accidentally break access if you don’t understand how the moving parts fit together.

This article walks through the end‑to‑end mechanics, not just the clicks, so L2/L3 engineers understand why policies behave the way they do.

Architecture: What Happens During Sign‑In

When a user signs into a cloud app (Exchange Online, SharePoint, Teams):

Microsoft Entra ID evaluates applicable Conditional Access policies
If a policy requires a compliant device, Entra queries Intune
Intune returns a binary verdict: Compliant or Not compliant
Access is granted or blocked accordingly

Microsoft explicitly states that Conditional Access relies on Intune compliance state and will not function as intended without an Intune compliance policy in place. [learn.microsoft.com]

This is not a soft dependency — no compliance policy means every device fails the check.

Step 1: Define “Compliant” in Intune (Before Touching Conditional Access)

In the Intune admin centre (intune.microsoft.com):

Devices → Compliance policies → Create

At minimum for Windows endpoints in Business Premium, Microsoft supports compliance checks such as:

BitLocker enabled
Secure Boot enabled
Minimum OS version
Antivirus and firewall present

These controls form the inputs to Conditional Access — they do nothing by themselves. [learn.microsoft.com]

Operational tip:
Assign compliance policies to user groups, not devices. Conditional Access evaluates user sign‑ins, not device objects.

Step 2: Create the Conditional Access Policy

In the Microsoft Entra admin centre (entra.microsoft.com):

Protection → Conditional Access → Policies → New policy

Core configuration (baseline):

Users
- Include: Target user group (do not start with All users)
- Exclude:
  - Emergency access (break‑glass) accounts
  - Service accounts (where applicable)

Microsoft explicitly recommends excluding emergency access accounts to avoid tenant lockout. [learn.microsoft.com]

Target resources
- Start with: Exchange Online or Office 365
- Expand later to “All cloud apps”
Grant
- ✅ Require device to be marked as compliant
Enable
- ✅ Report‑only (initially)

This exact flow is documented by Microsoft as the supported deployment approach. [learn.microsoft.com]

Step 3: Report‑Only Mode Is Not Optional

Report‑only mode evaluates the policy without enforcing it. This allows you to:

Confirm which users would be blocked
Identify unmanaged or unenrolled devices
Detect users authenticating from unsupported platforms

Microsoft strongly recommends Report‑only mode before enforcement for Conditional Access policies of this type. [learn.microsoft.com]

Validation path:

Entra ID → Sign‑in logs
Filter: Conditional Access → Report‑only
Review failure reasons

Step 4: Common Failure Scenarios (Seen in the Wild)

“User prompted repeatedly for MFA then blocked”

Device is Entra ID joined but not enrolled in Intune
No compliance policy applies to the user

“macOS or BYOD phones blocked unexpectedly”

Platform not covered by a compliance policy
Device enrolment incomplete

“Policy works for admins but not staff”

Admins often use already‑managed devices
Staff devices lag behind in enrolment

Microsoft documents that Conditional Access can only evaluate compliance for MDM‑enrolled devices. [learn.microsoft.com]

Step 5: When Not to Use Compliant‑Only Access

Microsoft explicitly provides alternative templates where compliance is one of several controls, not the only one, such as:

Compliant device OR Microsoft Entra hybrid joined OR MFA

This is recommended where full device management is not realistic. [learn.microsoft.com]

Production Roll‑Out Recommendation

For Business Premium tenants, Microsoft’s own Zero Trust guidance aligns to:

Require MFA first
Enrol devices into Intune
Require compliant devices for core workloads
Expand to all cloud apps once stable [learn.microsoft.com]

Official Microsoft References

Require device compliance with Conditional Access
https://learn.microsoft.com/entra/identity/conditional-access/policy-all-users-device-compliance
Conditional Access with Intune integration
https://learn.microsoft.com/intune/device-security/conditional-access-integration/overview
Require compliant or hybrid joined devices or MFA
https://learn.microsoft.com/entra/identity/conditional-access/policy-alt-all-users-compliant-hybrid-or-mfa

Margin Compression: When Cost‑to‑Serve Rises Faster Than Revenue

If margins collapse, nothing else matters.

Not growth.
Not MRR.
Not headcount.
Not how many logos are on your website.

This is why margin compression is the number one silent killer in the MSP industry right now.

On paper, many MSPs look healthy. Revenue is climbing. Client counts are up. Service catalogues are expanding. But underneath that surface-level success, net margins are flat at best—and often shrinking. The business is working harder for the same outcome, or worse, less profit. Multiple industry analyses point to the same culprits: labour, vendor/software spend, and a widening mismatch between scope and price, with labour consistently the largest cost line for most MSPs.

This is brutal because it hides in plain sight.

The profitability illusion

Margin compression doesn’t usually show up as a dramatic collapse. It shows up as a slow bleed.

You win a few more clients.
You add a couple more technicians.
You roll out another security tool “for free” to stay competitive.
You absorb a few extra requests because “it’s just easier”.

Your MRR graph keeps pointing up, so everything must be fine… right?

Except EBITDA isn’t moving. Cash flow feels tighter. Owners stop paying themselves properly. Every problem feels urgent because there’s no margin buffer left. That’s the illusion: growth masking decay.

Industry commentary has been calling this out more loudly over the last year. MSPs are growing, but profits aren’t keeping pace. The core issue isn’t sales—it’s that cost‑to‑serve is rising faster than contract value, driven by operational complexity and unpriced work.

Why cost‑to‑serve keeps exploding

Let’s be blunt about what’s changed.

Labour costs are rising
Good technicians are expensive. Great ones are rarer and cost more. Wage inflation, retention pressure, burnout, and higher expectations all push labour costs up. For most MSPs, labour is the single largest expense, and even small efficiency losses compound quickly.

Security workload per endpoint has exploded
Endpoints are no longer “patch and forget”. Each one now carries identity, conditional access, EDR, alert triage, reporting, compliance evidence, and incident response expectations. The workload per user has multiplied, but many contracts haven’t.

Fixed‑price contracts were written for a simpler era
“All‑you‑can‑eat” sounded great when environments were smaller, flatter, and less regulated. Today, that same pricing model absorbs cloud sprawl, security alerts, identity issues, SaaS churn, and board‑level reporting—without a matching price increase.

Scope creep is now systemic
This isn’t the odd favour. This is unbounded complexity baked into the operating model. New vendors roll out defaults. Microsoft changes behaviour. Security baselines shift. Clients expect it all to be “included”. The contract never gets revisited.

The result? MSPs are expected to deliver more, faster, and safer—without adding headcount and without raising prices. That maths simply doesn’t work.

Labour: the biggest margin leak

When people talk about margin problems, they often blame tools first. And yes, vendor and software costs matter. Tool sprawl hurts. Licensing creep is real.

But labour is where margins truly die.

Every extra ticket minute. Every manual process that should have been automated. Every alert that requires human triage. Every undocumented workaround that only “that one senior tech” knows.

Those minutes add up to hours. Those hours add up to FTEs. And those FTEs are increasingly hard to fund under legacy pricing models. This is why so many MSP margin leaks trace back to time—unbilled, under‑priced, or poorly controlled. [level.io]

Why this problem is so dangerous

Margin compression doesn’t announce itself.

You don’t get an alert. You don’t get an email. Your PSA won’t warn you.

What you get instead is exhaustion. Constant pressure. The feeling that you’re always behind, even though you’re “successful”.

And here’s the real danger: once margins are gone, you lose options.

You can’t invest. You can’t absorb shocks. You can’t say no to bad clients. You can’t slow down long enough to fix the model.

That’s why this is problem #1. Not because it’s flashy—but because it quietly removes your ability to respond to everything else.

The uncomfortable truth

You cannot out‑sell margin compression. You cannot hire your way out of it. And you definitely can’t ignore it.

If your cost‑to‑serve is rising faster than your revenue, growth will make things worse, not better.

The MSPs that survive the next phase of this industry won’t be the ones with the most clients. They’ll be the ones who understand their margins, price complexity properly, and stop pretending that “unlimited” still exists.

Because in 2026, unlimited delivery with fixed pricing isn’t a value proposition.

It’s a slow, quiet business killer.