NO THIRD PARTIES PLEASE
THIS IS CONTRACT TO HIRE AFTER 6 MONTHS
About the Role
We''re looking for a Senior Endpoint Management Consultant to lead modern device
management and endpoint security engagements for our clients. You''ll own the technical
strategy and delivery of Microsoft Intune, Windows Autopilot, and the Microsoft Defender
security stack, helping organizations move from unmanaged or legacy environments to a cloud first, Zero Trust-aligned device posture.
Youʼll tackle real challenges: hundreds of unmanaged devices, Windows Home editions that can''t be enrolled, mixed on-prem GPO environments running alongside a half-configured Intune tenant, BYOD scenarios with no app protection policies, and post-merger environments where two separate device management platforms need to be rationalized into one. You''ll be the person who designs the solution and delivers it.
If you''ve deployed Intune at scale, set up Windows Autopilot for zero-touch provisioning, built Conditional Access frameworks that tie device compliance to M365 access, and integrated Microsoft Defender for Endpoint as an EDR solution across a client fleet, this role was built for you.
What You''ll Do
Endpoint Strategy & Assessment
- Conduct device landscape assessments to identify unmanaged devices, mixed OS editions,legacy management tools (SCCM, GPOs, third-party MDMs), and configuration drift across client environments.
- Develop modern endpoint management strategies that define the path from current state to a fully Intune-managed, security-baseline-compliant device fleet.
- Design migration plans for clients transitioning from on-prem Configuration Manager to cloud managed Intune, including co-management rollout and Windows Update for Business adoption.
Intune Deployment & Windows Autopilot
- Architect and implement Microsoft Intune as the central endpoint management platform, device enrollment, configuration profiles, compliance policies, app deployment, and update rings.
- Design and deploy Windows Autopilot for zero-touch provisioning: from out-of-the-box to fully configured, compliant, and enrolled in minutes.
- Address OS edition issues (Windows Home to Pro/Enterprise upgrades) and ensure devices meet Azure AD Join or Hybrid Azure AD Join requirements based on the client''s identity architecture.
- Build Mobile Application Management (MAM) and App Protection Policies for BYOD scenarios, protecting corporate data in Outlook, Teams, and OneDrive on personal devices without requiring full MDM enrollment.
Endpoint Security & Policy Configuration
- Define and deploy security baselines aligned to CIS Benchmarks and Microsoft recommended settings: BitLocker encryption, Defender Antivirus with cloud protection, firewall policies, attack surface reduction rules, and application control.
- Deploy Microsoft Defender for Endpoint across client device fleets , configure EDR capabilities, behavioral sensors, and automated response actions integrated with Intune.
- Implement Conditional Access policies that enforce device compliance as a prerequisite for accessing corporate M365 resources, integrating with Entra ID P2 features like Identity Protection for risk-based sign-in policy.
- Configure Privileged Identity Management (PIM) for administrative roles and enforce least privilege access on endpoints.
Identity & Entra ID Integration
- Advise on Azure AD Join vs. Hybrid Azure AD Join vs. Entra Registered scenarios based on the client''s environment and roadmap , and implement the right approach.
- Enable modern passwordless authentication (Windows Hello for Business, FIDO2,
Authenticator app) where appropriate to improve security posture and user experience. - For M365 tenant consolidation engagements, design the device migration approach , re
enrollment, Autopilot reset, policy migration, and end-user communication sequencing.
Monitoring, Incident Response
- Configure dashboards and alerts in the Microsoft 365 Defender portal for centralized visibility into device health, compliance status, and endpoint threats.
- Establish endpoint incident response playbooks: lost device remote wipe via Intune, malware containment and quarantine via Defender for Endpoint, compromised credential response in coordination with identity teams.
- Collaborate with client SOC teams or security analysts to tune Defender for Endpoint alerts, review Microsoft Secure Score, and drive continuous security posture improvement.
- Document all configurations and deliver knowledge transfer sessions so client IT teams can operate and maintain the solution post-engagement.
Cross-Team Collaboration
- Work alongside M365 Collaboration and Messaging consultants to ensure device compliance policies are aligned with SharePoint, Teams, and Exchange access controls.
- Partner with security specialists to integrate endpoint telemetry into broader security operations, SIEM integration, Defender XDR correlation, and cross-workload incident response.
Client Advisory & Strategic Leadership
- Own the client relationship across the full engagement lifecycle, translating technical
milestones into business outcomes. - Advise clients on M365 roadmap decisions against security readiness, governance maturity, and user impact in order to recommend enablement options that fit their needs.
- Contribute to pre-sales functions including discovery meetings, solution whiteboards, SOW and ROM scoping, and ongoing account management.
- Build and execute change management frameworks that treat user adoption as a core requirement: executive alignment, champion networks, phased training, and adoption tracking built into the project from day one.
Technical Requirements
- 5+ years of hands-on experience leading enterprise endpoint management projects using Microsoft Intune and related technologies.
- Demonstrated experience deploying Windows Autopilot at scale , including Autopilot profile design, hardware hash registration, and troubleshooting failed enrollments.
- Deep understanding of Windows 10/11 in an enterprise context: MDM vs. GPO policy differences, Windows Update for Business, Defender Credential Guard, Exploit Guard, and local admin management.
- Hands-on experience with Microsoft Defender for Endpoint: onboarding, EDR policy configuration, alert triage, and automated remediation integration with Intune.
- Working knowledge of Entra ID P2: Conditional Access, Identity Protection, PIM, and their relationship to device compliance.
- Experience with BYOD scenarios: MAM configuration, App Protection Policies for iOS and Android, and when to use MAM-only vs. full MDM enrollment.
- PowerShell proficiency for endpoint management automation, bulk enrollment, compliance reporting, Graph API queries