The marketing says 15-minute Autopilot onboarding. The reality, on a first-gen config, is 45-90 minutes and three reboots. Here's how to actually get it under 20.
Measure before tuning
Build five test machines. Record wall-clock time from power-on to desktop-ready. Record which ESP stage takes longest. The answer is almost always "device preparation" due to too many required apps, or "account setup" due to sync conflicts on the primary user's profile.
Keep "required" tight
Required apps during ESP means blocking ESP. Anything over six apps, and you're fighting a losing battle. Mark the absolute minimum as required (endpoint agent, VPN client, PIM helper) and move the rest to "available" or post-ESP.
Win32 app sequencing
Win32 apps install serially within a dependency graph. If App B depends on App A, and App A installs in 4 minutes, App B waits. Break dependencies that don't strictly exist — "Office depends on .NET" is usually false (Office ships its runtime) and costs you 3 minutes.
CSPs that cause ESP timeouts
Half a dozen CSPs are responsible for most ESP hangs in the wild:
- BitLocker — encryption start, if the TPM isn't ready.
- WindowsDefenderApplicationGuard — slow to provision on non-SSD.
- ApplicationControl — large policy XML = long compile.
- VPN profiles with certificate enrollment — waits on the CA.
- Wi-Fi profiles deployed pre-login — blocks until the cert is present.
Moving any of these to post-ESP drops the bar dramatically. Test one at a time.