M365 Endpoint Architect

What success looks like in this role:

Were hiring an M365 Endpoint Architect (Windows SOE Intune SCCM) to lead the design and delivery of a modern secure Windows operating environment. You will run design workshops produce authoritative designs build and validate the SOE define and execute the migration approach (Windows 10 to Windows 11) modernize endpoint management with Intune and orchestrate app packaging and deployment using SCCM/Intune across lab preprod and production. This is a hands-on architecture role working closely with client SMEs a client TDA security and support teams without PM duties.

Key Responsibilities:

Discovery and design

• Run workshops: Lead core and usecase design workshops; capture requirements decisions constraints and personas.

• Target architecture: Define endpoint platform architecture covering Intune SCCM comanagement Entra ID Conditional Access identity/device join models certificate strategy networking/proxy/DNS dependencies.

• SOE blueprint: Specify and version Windows 11 SOE (image/lightweight reference) secure baselines hardening default apps policies and configuration layers.

• Policy design: Author device configuration compliance and Endpoint Security policies (BitLocker Defender Firewall Account protection including LAPS and WHfB).

• Update strategy: Design Windows Update for Business rings deadlines and safeguards; driver/firmware approach.

• Comanagement sliders: Plan SCCM to Intune workload migration (client apps compliance device config Endpoint Protection WUfB) with rollback paths.

• Application packaging: Define packaging standards and deployment patterns (Win32 MSIX detection rules requirements PSADT) content delivery and pilot strategy.

• Documentation: Produce Core Endpoint Management Design UseCase Addenda Test Plans Migration Playbook and AsBuilt documentation.

Build and validation (lab to production)

• Lab build: Stand up lab/DEV; configure Intune tenant components Autopilot profiles enrolment restrictions test identities/devices and integration touchpoints.

• SOE build: Build and validate SOE artifacts (reference configs provisioning packages where applicable Autopilot profiles) and app baselines.

• Automation: Create PowerShell/Graph automations for packaging reporting posture and remediation.

• Testing: Define and execute functional performance and user validation; UAT coordination with SMEs; defect triage and remediation.

Migration and enablement

• Win10Win11 migration: Define compatibility approach (App compat drivers/firmware peripherals) readiness assessments comms inputs and cutover playbooks.

• Waves and cadence: Design migration waves at enterprise scale; success criteria telemetry and rollback.

• Endpoint protection: Ensure security control efficacy during migration (encryption continuity Defender policy parity CA impact).

• Handover: Create runbooks and support models; contribute to Day2 readiness and knowledge transfer.

Governance and collaboration

• Design authority interface: Collaborate with the Client TDA for design approvals risks and variances.

• Stakeholder alignment: Partner with security network identity and app owners to derisk dependencies.

• Compliance mapping: Align configurations to public sector frameworks and Essential Eight maturity targets where applicable.

Required skills and experience

• Windows SOE: Proven design/build of enterprise Windows SOE for Windows 11 including baselines hardening and imaging/provisioning strategies.

• Intune expertise: Device configuration compliance Endpoint Security WUfB Autopilot (user/selfdeploy/kiosk) filters dynamic groups remediation scripts.

• SCCM/MECM: Comanagement setup workload migration collections task sequences for inplace upgrade content management software updates.

• Application packaging: MSI/MSIX/Win32 packaging detection/requirements dependency management PSADT installation testing at scale.

• Identity and access: Entra ID join models (AADJ/HAADJ) Conditional Access impacts on device posture PKI/certificates for device and WiFi/VPN auth.

• Security controls: BitLocker (MBAM/Key escrow) Microsoft Defender for Endpoint policies LAPS WHfB firewall device control.

• Automation: PowerShell and Microsoft Graph for packaging reporting compliance and remediation.

• Enterprise delivery: Labpreprodprod promotion change control and wavebased migrations across thousands of endpoints.

• Documentation: Authoritative design docs test plans runbooks and asbuilt records.

You will be successful in this role if you have:

• NV1 Security Clerance is required.

• Certifications: MD102 (Endpoint Administrator) AZ104/AZ140 or MS102 and/or SC200/SC100 desirable.

• Experience: 7 years in endpoint engineering/architecture with recent Windows 11 and Intune modern management at enterprise scale.

Unisys is proud to be an equal opportunity employer that considers all qualified applicants without regard to age caste citizenship color disability family medical history family status ethnicity gender gender expression gender identity genetic information marital status national origin parental status pregnancy race religion sex sexual orientation transgender status veteran status or any other category protected by law.

Local employment practices and rights may vary by jurisdiction and are subject to applicable local laws. This commitment includes our efforts to provide for all those who seek to express interest in employment the opportunity to participate without barriers.

If you are a US job seeker unable to review the job opportunities herein or cannot otherwise complete your expression of interest without additional assistance and would like to discuss a request for reasonable accommodation please contact our Global Recruiting organization at . US job seekers can find more information about Unisys EEO commitment here.