Windows Device Engineering Lead
Cambridge, MA - USA
Job Summary
By clicking the Apply button I understand that my employment application process with Takeda will commence and that the information I provide in my application will be processed in line with Takedas Privacy Notice and Terms of Use. I further attest that all information I submit in my employment application is true to the best of my knowledge.
Job Description
Position Summary
We are seeking an experienced and technically deep Windows Device Engineering Lead to own and drive the global endpoint management strategy for approximately 50000 Windows devices across our worldwide operations. This is a high-impact technical leadership role responsible for the full device lifecycle from provisioning and configuration to monthly patching security hardening and decommission while coordinating a distributed team of contractors across time zones.
The ideal candidate combines hands-on technical mastery in Microsoft Intune SCCM/MEMCM PowerShell scripting and application packaging with the organizational skills to lead mentor and direct an offshore delivery team. You will serve as the primary liaison between endpoint engineering security and business stakeholders ensuring our endpoint estate is compliant resilient and operationally excellent.
Key Responsibilities
Endpoint Management & Strategy
- Architect maintain and continuously improve the global Windows device management platform using Microsoft Intune and SCCM/MEMCM (co-management and cloud-only environments).
- Define and own configuration baselines enrollment profiles compliance policies and conditional access rules across the 50000 endpoint estate.
- Drive the organizations modernization roadmap toward cloud-native device management (Autopilot Intune-only co-management).
- Oversee device lifecycle management including provisioning imaging refresh cycles and decommissioning procedures.
Patching & Vulnerability Management
- Own the end-to-end monthly Patch Tuesday cycle: planning ring-based deployment remediation tracking and executive reporting.
- Manage software update servicing (WSUS/SUP Intune Update Rings Windows Autopatch) and ensure SLA compliance across all global regions.
- Partner with the Security Operations team to remediate critical and high vulnerabilities within agreed SLO windows.
- Maintain a documented patching run book and escalation path for failures and exceptions.
Security Policy & Compliance (CIS & MDE)
- Implement and enforce CIS Benchmark controls for Windows (Level 1 and Level 2) across the global fleet via Intune configuration profiles and SCCM baselines.
- Own the Microsoft Defender for Endpoint (MDE) deployment configuration and health monitoring including onboarding policies ASR rules tamper protection and threat & vulnerability management.
- Collaborate with the Security team to operationalize MDE alerts Secure Score improvements and endpoint detection & response (EDR) posture.
- Conduct periodic compliance reporting against CIS benchmarks and remediate drift; maintain audit-ready documentation.
- Manage and tune Intune compliance and conditional access policies to enforce Zero Trust principles.
PowerShell & Scripting
- Develop maintain and peer-review PowerShell scripts for automation across device management tasks including compliance remediation reporting inventory and configuration drift detection.
- Build and maintain CI/CD-friendly script repositories with version control (Git) testing frameworks and documentation standards.
- Leverage Graph API and PowerShell SDK for Intune to automate tenant configuration bulk operations and reporting.
- Champion scripting best practices and provide guidance/code reviews to contractor team members.
Application Packaging & Deployment
- Lead application packaging efforts including Win32 apps (Intune) MSI/EXE/MSIX transforms and SCCM packages/task sequences.
- Define and maintain application packaging standards testing procedures and approval workflows.
- Manage the application catalog ensuring software is current licensed and securely deployed.
- Coordinate with software vendors and internal stakeholders to resolve packaging challenges and dependency conflicts.
Team Leadership & Offshore Coordination
- Lead coordinate and quality-assure the work of a team of offshore contractors based primarily in India including task assignment sprint planning and performance feedback.
- Establish clear SLAs runbooks and escalation paths to ensure consistent delivery quality across time zones.
- Conduct regular stand-ups knowledge-transfer sessions and technical mentorship for the contractor team.
- Manage staffing levels onboarding and knowledge continuity to minimize single points of failure.
- Collaborate closely with IT leadership to prioritize the teams backlog against project and operational demands.
Documentation Reporting & Governance
- Maintain comprehensive documentation for all device management processes configurations and operational procedures.
- Produce regular management reporting on endpoint health patch compliance security posture and KPIs.
- Participate in change management processes (CAB) ensuring all changes to the endpoint platform are risk-assessed and communicated.
- Represent the endpoint team in cross-functional meetings with IT Security Networking Help Desk and business units.
Required Qualifications
Experience
- 7 years of hands-on experience in Windows endpoint management at enterprise scale (10000 endpoints).
- Demonstrated experience managing a globally distributed Windows device fleet across multiple geographies.
- 3 years of experience directly leading or coordinating technical teams including offshore/nearshore resources.
- Prior experience working within a 24/7 global IT operations model preferred.
Technical Skills Must Have
- Microsoft Intune Deep hands-on expertise in Intune device enrollment (AADJ Hybrid AADJ Autopilot) configuration profiles compliance policies app deployment and update rings. Experience with Intune co-management and tenant-attach scenarios. Microsoft Intune:
- SCCM / MEMCM Strong working knowledge of SCCM site design client deployment task sequences OSD software update management and reporting (SSRS). Experience migrating workloads to Intune preferred. SCCM / MEMCM:
- PowerShell Advanced scripting ability; able to write production-grade scripts without supervision. Proficient with PowerShell modules for Intune () Active Directory and Windows management. Comfortable with error handling logging and modular script design. PowerShell:
- App Packaging Proficient with Win32 app packaging for Intune (IntuneWinAppUtil) MSI/MSIX repackaging silent install parameters detection rules and dependency management. Experience with SCCM packages and task sequences. App Packaging:
- CIS Benchmarks Working knowledge of CIS Microsoft Windows Benchmark controls; experience translating CIS controls into Intune/SCCM policies and tracking compliance. CIS Benchmarks:
- Microsoft Defender for Endpoint (MDE) Experience deploying and managing MDE at scale including onboarding policy configuration ASR rules threat & vulnerability management (TVM) and integration with Microsoft Sentinel or SIEM platforms. Microsoft Defender for Endpoint:
Technical Skills Strong Plus
- Windows Autopatch and Autopilot self-deploying / pre-provisioning scenarios.
- Azure Active Directory / Entra ID Conditional Access device compliance integration hybrid identity.
- Microsoft Endpoint Analytics and Intune reporting workbooks.
- Experience with ITSM tooling (ServiceNow) for change management and incident integration.
- Familiarity with Microsoft Sentinel or Defender XDR for endpoint telemetry correlation.
- Knowledge of ITIL frameworks particularly incident change and problem management.
Preferred Qualifications
- Microsoft 365 Certified: Endpoint Administrator Associate (MD-102) or equivalent certification.
- Microsoft Certified: Security Compliance and Identity Fundamentals or Security Operations Analyst Associate (SC-200).
- Experience in highly regulated industries (financial services healthcare government) with strict compliance requirements.
- Familiarity with additional endpoint security tools (Microsoft Defender CrowdStrike Tanium) is a plus.
- Exposure to non-Windows platforms (macOS iOS/Android via Intune) in a mixed-OS environment.
- Experience with software license management and hardware asset management processes.
Core Competencies
Technical Leadership
Able to set technical direction make defensible architectural decisions and elevate team capability through mentorship.
Cross-Cultural Communication
Communicates clearly and effectively with offshore teams across time zones; adapts communication style for diverse audiences.
Security-First Mindset
Treats endpoint security as a non-negotiable baseline; proactively identifies and closes posture gaps.
Ownership & Accountability
Takes full ownership of outcomes not just tasks. Escalates early communicates risk and drives issues to resolution.
Continuous Improvement
Seeks automation-first solutions to operational toil; champions process documentation and repeatability.
Work Environment & Expectations
- Availability to overlap with India-based contractor team for daily stand-ups and escalations (early morning or late afternoon flexibility required).
- Participation in on-call rotation for critical P1/P2 endpoint incidents and change windows.
- Travel may be required occasionally for team on-sites or major project deployments (estimate: 010% annually).
- Must be comfortable operating in a fast-paced geographically distributed enterprise IT environment with competing priorities.
Takeda Compensation and Benefits Summary
We understand compensation is an important factor as you consider the next step in your career. We are committed to equitable pay for all employees and we strive to be more transparent with our pay practices.
For Location:
Cambridge MAU.S. Base Salary Range:
$137000.00 - $215270.00
The estimated salary range reflects an anticipated range for this position. The actual base salary offered may depend on a variety of factors including the qualifications of the individual applicant for the position years of relevant experience specific and unique skills level of education attained certifications or other professional licenses held and the location in which the applicant lives and/or from which they will be performing the actual base salary offered will be in accordance with state or local minimum wage requirements for the job location.
U.S. based employees may be eligible for short-term and/ or long-term incentives. U.S. based employees may be eligible to participate in medical dental vision insurance a 401(k) plan and company match short-term and long-term disability coverage basic life insurance a tuition reimbursement program paid volunteer time off company holidays and well-being benefits among others. U.S. based employees are also eligible to receive per calendar year up to 80 hours of sick time and new hires are eligible to accrue up to 120 hours of paid vacation.
EEO Statement
Takeda is proud in its commitment to creating a diverse workforce and providing equal employment opportunities to all employees and applicants for employment without regard to race color religion sex sexual orientation gender identity gender expression parental status national origin age disability citizenship status genetic information or characteristics marital status status as a Vietnam era veteran special disabled veteran or other protected veteran in accordance with applicable federal state and local laws and any other characteristic protected by law.
Locations
Cambridge MAWorker Type
EmployeeWorker Sub-Type
RegularTime Type
Full timeJob Exempt
YesIt is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.Required Experience:
Senior IC
About Company
Takeda is a patient-focused, R&D-driven global biopharmaceutical company committed to bringing Better Health and a Brighter Future.