AVD Endpoint/Thin Client Engineer (Engineering & O&M)

About The Position

Requirements

• 3–5+ years in End-User Computing/VDI with a focus on Azure Virtual Desktop endpoints or thin clients.
• Hands-on with Intune/Endpoint Manager, Entra ID, Autopilot, device compliance/config profiles, Proactive Remediations.
• Experience with thin-client platforms: one or more of IGEL UMS, HP Device Manager/ThinPro, Dell WMS/ThinOS, Stratodesk NoTouch, 10ZiG Manager.
• Strong PowerShell (Graph/Intune/WMI/CIM) and practical KQL for troubleshooting and reporting.
• Solid understanding of RDP (Shortpath, UDP), media optimization (Teams), device/USB redirection, and endpoint networking (DNS, proxy, firewall, QoS).
• Endpoint security: Defender for Endpoint onboarding, BitLocker (where applicable), WDAC/AppLocker, certificate enrollment (SCEP/PKCS), Conditional Access.
• Proven change/incident/problem management in an ITIL environment; excellent documentation discipline.

Nice To Haves

• Familiarity with Nerdio Manager for Enterprise (for alignment with AVD operations), FSLogix concepts (from an endpoint perspective), Universal Print, smart-card/CAC pass-through.
• Experience integrating endpoint/thin-client telemetry with Elastic or Microsoft Sentinel.
• IaC exposure (Bicep/Terraform) beneficial for understanding AVD infra dependencies.
• Government/regulated environment experience; STIG/CIS hardening familiarity.

Responsibilities

• Design and maintain standard endpoint/thin-client builds (Windows IoT Enterprise LTSC, IGEL OS, HP ThinPro, Dell ThinOS, Stratodesk NoTouch) with the AVD client, SSO, and required plugins (e.g., Teams optimization, webcam/audio, smart-card/CAC).
• Create and version device configurations and profiles in Intune (device compliance, configuration, app deployment, ESP/Autopilot) and/or vendor consoles (IGEL UMS, HP Device Manager, Dell Wyse Management Suite, Stratodesk NoTouch Center, 10ZiG Manager).
• Implement AVD client policies: RDP Shortpath (UDP), device/USB redirection rules, multi-monitor/resolution, codec preferences, QoS/DSCP tagging.
• Integrate endpoint security: Microsoft Defender for Endpoint onboarding, BitLocker (where applicable), WDAC/App Control, Local Admin/LAPS policies, certificate enrollment (SCEP/PKCS) for Wi-Fi/VPN/EAP-TLS.
• Configure printing options (Universal Print and/or session printing) and peripherals (headsets, scanners) with approved redirection.
• Run the daily health routine: monitor AVD client versions, endpoint check-ins, compliance drift, Teams media optimization status, and call quality signals.
• Patch OS/firmware/drivers at scale; manage phased rings, rollback, and change windows. Track vendor advisories and plan upgrades.
• Troubleshoot login and session issues from the endpoint side (auth loops, conditional access, FSLogix profile attach symptoms surfaced at the client, UDP reachability).
• Maintain inventory and CMDB accuracy (tags, ownership, location, warranty/lease, lifecycle stage).
• Respond to incidents and service requests; execute runbooks; contribute to problem management and post-incident reviews.
• Build dashboards and alerts using Intune reports, Azure Monitor/Log Analytics/Workbooks, and vendor consoles for device compliance & check-in rates, AVD client version coverage, session connection success, RTT/latency/jitter (from client perspective), Teams Optimization health and CQD insights.