M365 Endpoint Architect

What success looks like in this role:

We’re hiring an M365 Endpoint Architect (Windows SOE, Intune, SCCM) to lead the design and delivery of a modern, secure Windows operating environment. You will run design workshops, produce authoritative designs, build and validate the SOE, define and execute the migration approach (Windows 10 to Windows 11), modernize endpoint management with Intune, and orchestrate app packaging and deployment using SCCM/Intune across lab, pre‑prod, and production. This is a hands-on architecture role working closely with client SMEs, a client TDA, security, and support teams without PM duties.

Key Responsibilities:

Discovery and design

• Run workshops: Lead core and use‑case design workshops; capture requirements, decisions, constraints, and personas.

• Target architecture: Define endpoint platform architecture covering Intune, SCCM co‑management, Entra ID, Conditional Access, identity/device join models, certificate strategy, networking/proxy/DNS dependencies.

• SOE blueprint: Specify and version Windows 11 SOE (image/lightweight reference), secure baselines, hardening, default apps, policies, and configuration layers.

• Policy design: Author device configuration, compliance, and Endpoint Security policies (BitLocker, Defender, Firewall, Account protection including LAPS and WHfB).

• Update strategy: Design Windows Update for Business rings, deadlines, and safeguards; driver/firmware approach.

• Co‑management sliders: Plan SCCM to Intune workload migration (client apps, compliance, device config, Endpoint Protection, WUfB), with rollback paths.

• Application packaging: Define packaging standards and deployment patterns (Win32 + MSIX, detection rules, requirements, PSADT), content delivery, and pilot strategy.

• Documentation: Produce Core Endpoint Management Design, Use‑Case Addenda, Test Plans, Migration Playbook, and As‑Built documentation.

Build and validation (lab to production)

• Lab build: Stand up lab/DEV; configure Intune tenant components, Autopilot profiles, enrolment restrictions, test identities/devices, and integration touchpoints.

• SOE build: Build and validate SOE artifacts (reference configs, provisioning packages where applicable, Autopilot profiles) and app baselines.

• Automation: Create PowerShell/Graph automations for packaging, reporting, posture, and remediation.

• Testing: Define and execute functional, performance, and user validation; UAT coordination with SMEs; defect triage and remediation.

Migration and enablement

• Win10→Win11 migration: Define compatibility approach (App compat, drivers/firmware, peripherals), readiness assessments, comms inputs, and cutover playbooks.

• Waves and cadence: Design migration waves at enterprise scale; success criteria, telemetry, and rollback.

• Endpoint protection: Ensure security control efficacy during migration (encryption continuity, Defender policy parity, CA impact).

• Handover: Create runbooks and support models; contribute to Day‑2 readiness and knowledge transfer.

Governance and collaboration

• Design authority interface: Collaborate with the Client TDA for design approvals, risks, and variances.

• Stakeholder alignment: Partner with security, network, identity, and app owners to de‑risk dependencies.

• Compliance mapping: Align configurations to public sector frameworks and Essential Eight maturity targets where applicable.

Required skills and experience

• Windows SOE: Proven design/build of enterprise Windows SOE for Windows 11, including baselines, hardening, and imaging/provisioning strategies.

• Intune expertise: Device configuration, compliance, Endpoint Security, WUfB, Autopilot (user/self‑deploy/kiosk), filters, dynamic groups, remediation scripts.

• SCCM/MECM: Co‑management setup, workload migration, collections, task sequences for in‑place upgrade, content management, software updates.

• Application packaging: MSI/MSIX/Win32 packaging, detection/requirements, dependency management, PSADT, installation testing at scale.

• Identity and access: Entra ID join models (AADJ/HAADJ), Conditional Access impacts on device posture, PKI/certificates for device and Wi‑Fi/VPN auth.

• Security controls: BitLocker (MBAM/Key escrow), Microsoft Defender for Endpoint policies, LAPS, WHfB, firewall, device control.

• Automation: PowerShell and Microsoft Graph for packaging, reporting, compliance, and remediation.

• Enterprise delivery: Lab→pre‑prod→prod promotion, change control, and wave‑based migrations across thousands of endpoints.

• Documentation: Authoritative design docs, test plans, runbooks, and as‑built records.

You will be successful in this role if you have:

• NV1 Security Clerance is required.

• Certifications: MD‑102 (Endpoint Administrator), AZ‑104/AZ‑140 or MS‑102, and/or SC‑200/SC‑100 desirable.

• Experience: 7+ years in endpoint engineering/architecture with recent Windows 11 and Intune modern management at enterprise scale.

Unisys is proud to be an equal opportunity employer that considers all qualified applicants without regard to age, caste, citizenship, color, disability, family medical history, family status, ethnicity, gender, gender expression, gender identity, genetic information, marital status, national origin, parental status, pregnancy, race, religion, sex, sexual orientation, transgender status, veteran status or any other category protected by law.

Local employment practices and rights may vary by jurisdiction and are subject to applicable local laws. This commitment includes our efforts to provide for all those who seek to express interest in employment the opportunity to participate without barriers.

If you are a US job seeker unable to review the job opportunities herein, or cannot otherwise complete your expression of interest, without additional assistance and would like to discuss a request for reasonable accommodation, please contact our Global Recruiting organization at [email protected]. US job seekers can find more information about Unisys’ EEO commitment here.