Senior Endpoint Engineer

About The Position

Requirements

• Excellent written and oral communication skills.
• Strong critical thinking, analytical reasoning, and thought leadership skills.
• Ability to bridge engineering, product, security, and operations teams to align on goals and foster shared responsibility.
• Project management skills.
• Proven experience implementing Intune and Autopilot (or equivalent zero-touch MDM) for large Windows fleets, including dynamic assignments and deployment profiles.
• Deep knowledge of Microsoft Defender for Endpoint, BitLocker, ASR rules, device control, and endpoint hardening frameworks such as CIS Benchmarks.
• Hands-on experience with configuration and compliance policies, app protection, certificates (SCEP, PKCS, PFX), and Conditional Access alignment.
• Proficiency in PowerShell and Python with ability to automate via Microsoft Graph API and REST.
• Demonstrated results improving boot times, sign-in performance, reliability, and patch compliance using telemetry and service-level objectives.
• Strong understanding of TCP/IP, DNS, DHCP, Azure AD/Entra device states, RBAC, and group-based targeting.
• Five to eight or more years of experience in End-User Computing or Endpoint Engineering, with at least three years owning Intune and Defender in production environments.

Responsibilities

• Architect and run Windows Autopilot onboarding at scale (device enrollment, dynamic groups, deployment profiles, hardware hash workflows), delivering consistent, secure builds with minimal manual touch.
• Maintain gold images and configuration baselines (BitLocker, local admin strategy/LAPS, firewall, ASR rules, device control, credential guard, secure boot).
• Own configuration profiles, compliance policies, app protection policies, and Conditional Access alignment with Security; implement role-based access and segregation for admin operations.
• Ensure Defender for Endpoint onboarding, EDR, vulnerability management, and alerting are configured, tuned, and measured; drive remediation at scale.
• Deploy, configure, and maintain endpoint devices and associated software (Win32/MSIX packages, certificate, Wi-Fi, VPN profiles, browser policies).
• Lead Windows Update for Business and Autopatch strategy, update rings, and reporting; coordinate out-of-band security updates as needed.
• Own AVD image strategy (AIB or equivalent), FSLogix profiles, host pool scaling policies, monitoring and diagnostics, and session reliability; standardize app packaging for AVD.
• Automate Intune, Defender, and AVD via Microsoft Graph API, PowerShell, and Python; manage configurations in source control and implement peer review and change controls.
• Publish build standards, runbooks, packaging guides, and break-glass procedures; mentor Service Desk and Desktop teams.
• Maintain compliance in assigned required training and all training required by state/province or other regulating authorities as applicable to this role to ensure that Sunrise standards are always met.
• Perform other duties as assigned.

Benefits

• Medical, Dental, Vision, Life, and Disability Plans
• Retirement Savings Plans
• Employee Assistant Program / Discount Program
• Paid time off (PTO), sick time, and holiday pay
• myFlexPay offered to get paid within hours of a shift
• Tuition Reimbursement
• In addition to base compensation, Sunrise may offer discretionary and/or non-discretionary bonuses. The eligibility to receive such a bonus will depend on the employee’s position, plan/program offered by Sunrise at the time, and required performance pursuant to the plan/program.