M365 Endpoint Architect

We’re hiring an M365 Endpoint Architect to lead the design and delivery of a modern, secure Windows operating environment. This role involves running design workshops, producing authoritative designs, building and validating the SOE, defining and executing the migration approach (Windows 10 to Windows 11), modernizing endpoint management with Intune, and orchestrating app packaging and deployment using SCCM/Intune across lab, pre‑prod, and production. It's a hands-on architecture role working closely with client SMEs, TDA, security, and support teams.

Must Have

• Lead design and delivery of modern, secure Windows operating environment.
• Expertise in Windows SOE design/build for Windows 11.
• Proficiency in Intune for device configuration, compliance, and security.
• Experience with SCCM/MECM for co-management and workload migration.
• Skilled in application packaging (MSI/MSIX/Win32) and deployment.
• Strong knowledge of Entra ID, Conditional Access, and PKI.
• Experience with security controls like BitLocker, Defender for Endpoint, LAPS.
• Ability to automate with PowerShell and Microsoft Graph.
• Proven experience in enterprise-scale migrations (Win10 to Win11).
• NV1 Security Clearance.
• 7+ years in endpoint engineering/architecture with Windows 11 and Intune modern management at enterprise scale.

Good to Have

• MD‑102 (Endpoint Administrator) certification.
• AZ‑104/AZ‑140 or MS‑102 certification.
• SC‑200/SC‑100 certification.

What success looks like in this role:

We’re hiring an M365 Endpoint Architect (Windows SOE, Intune, SCCM) to lead the design and delivery of a modern, secure Windows operating environment. You will run design workshops, produce authoritative designs, build and validate the SOE, define and execute the migration approach (Windows 10 to Windows 11), modernize endpoint management with Intune, and orchestrate app packaging and deployment using SCCM/Intune across lab, pre‑prod, and production. This is a hands-on architecture role working closely with client SMEs, a client TDA, security, and support teams without PM duties.

Key Responsibilities:

Discovery and design

• Run workshops: Lead core and use‑case design workshops; capture requirements, decisions, constraints, and personas.
• Target architecture: Define endpoint platform architecture covering Intune, SCCM co‑management, Entra ID, Conditional Access, identity/device join models, certificate strategy, networking/proxy/DNS dependencies.
• SOE blueprint: Specify and version Windows 11 SOE (image/lightweight reference), secure baselines, hardening, default apps, policies, and configuration layers.
• Policy design: Author device configuration, compliance, and Endpoint Security policies (BitLocker, Defender, Firewall, Account protection including LAPS and WHfB).
• Update strategy: Design Windows Update for Business rings, deadlines, and safeguards; driver/firmware approach.
• Co‑management sliders: Plan SCCM to Intune workload migration (client apps, compliance, device config, Endpoint Protection, WUfB), with rollback paths.
• Application packaging: Define packaging standards and deployment patterns (Win32 + MSIX, detection rules, requirements, PSADT), content delivery, and pilot strategy.
• Documentation: Produce Core Endpoint Management Design, Use‑Case Addenda, Test Plans, Migration Playbook, and As‑Built documentation.

Build and validation (lab to production)

• Lab build: Stand up lab/DEV; configure Intune tenant components, Autopilot profiles, enrolment restrictions, test identities/devices, and integration touchpoints.
• SOE build: Build and validate SOE artifacts (reference configs, provisioning packages where applicable, Autopilot profiles) and app baselines.
• Automation: Create PowerShell/Graph automations for packaging, reporting, posture, and remediation.
• Testing: Define and execute functional, performance, and user validation; UAT coordination with SMEs; defect triage and remediation.

Migration and enablement

• Win10→Win11 migration: Define compatibility approach (App compat, drivers/firmware, peripherals), readiness assessments, comms inputs, and cutover playbooks.
• Waves and cadence: Design migration waves at enterprise scale; success criteria, telemetry, and rollback.
• Endpoint protection: Ensure security control efficacy during migration (encryption continuity, Defender policy parity, CA impact).
• Handover: Create runbooks and support models; contribute to Day‑2 readiness and knowledge transfer.

Governance and collaboration

• Design authority interface: Collaborate with the Client TDA for design approvals, risks, and variances.
• Stakeholder alignment: Partner with security, network, identity, and app owners to de‑risk dependencies.
• Compliance mapping: Align configurations to public sector frameworks and Essential Eight maturity targets where applicable.

Required skills and experience

• Windows SOE: Proven design/build of enterprise Windows SOE for Windows 11, including baselines, hardening, and imaging/provisioning strategies.
• Intune expertise: Device configuration, compliance, Endpoint Security, WUfB, Autopilot (user/self‑deploy/kiosk), filters, dynamic groups, remediation scripts.
• SCCM/MECM: Co‑management setup, workload migration, collections, task sequences for in‑place upgrade, content management, software updates.
• Application packaging: MSI/MSIX/Win32 packaging, detection/requirements, dependency management, PSADT, installation testing at scale.
• Identity and access: Entra ID join models (AADJ/HAADJ), Conditional Access impacts on device posture, PKI/certificates for device and Wi‑Fi/VPN auth.
• Security controls: BitLocker (MBAM/Key escrow), Microsoft Defender for Endpoint policies, LAPS, WHfB, firewall, device control.
• Automation: PowerShell and Microsoft Graph for packaging, reporting, compliance, and remediation.
• Enterprise delivery: Lab→pre‑prod→prod promotion, change control, and wave‑based migrations across thousands of endpoints.
• Documentation: Authoritative design docs, test plans, runbooks, and as‑built records.

You will be successful in this role if you have:

• NV1 Security Clerance is required.
• Certifications: MD‑102 (Endpoint Administrator), AZ‑104/AZ‑140 or MS‑102, and/or SC‑200/SC‑100 desirable.
• Experience: 7+ years in endpoint engineering/architecture with recent Windows 11 and Intune modern management at enterprise scale.

Unisys is proud to be an equal opportunity employer that considers all qualified applicants without regard to age, caste, citizenship, color, disability, family medical history, family status, ethnicity, gender, gender expression, gender identity, genetic information, marital status, national origin, parental status, pregnancy, race, religion, sex, sexual orientation, transgender status, veteran status or any other category protected by law.

Local employment practices and rights may vary by jurisdiction and are subject to applicable local laws. This commitment includes our efforts to provide for all those who seek to express interest in employment the opportunity to participate without barriers.

If you are a US job seeker unable to review the job opportunities herein, or cannot otherwise complete your expression of interest, without additional assistance and would like to discuss a request for reasonable accommodation, please contact our Global Recruiting organization at GlobalRecruiting@unisys.com_

. US job seekers can find more information about Unisys’ EEO commitment here_

_.

About Us

Unisys is a global technology solutions company that powers breakthroughs for the world’s leading organizations. Our solutions – cloud, AI, digital workplace, logistics and enterprise computing – help our clients challenge the status quo and unlock their full potential. To learn how we have been helping clients push what’s possible for more than 150 years, visit unisys.com

and follow us on LinkedIn

.

https://www.unisys.com/unisys-legal/recruiting

Notice for U.S. Applicants: Unisys is an Equal Opportunity Employer – Minorities/ Females/ Veterans/ Individuals with Disabilities/ Sexual Orientation/ Gender Identity

Read More

Follow Us

• [](https://www.linkedin.com/company/unisys "LinkedIn")
• [](https://twitter.com/unisys "X")
• [](https://www.youtube.com/channel/UCVFzCw3E0iGDp-5OmR8Ddww "YouTube")
• [](https://www.facebook.com/UnisysCorp/ "Facebook")

Unisys Recruiting and Hiring Privacy/Data Protection Notice​​