Windows/Linux Patching, Maintenance & Automation Engineer

About The Position

Requirements

• Proven ability to lead patch strategy (rings, baselines, risk management, validation, reporting).
• Strong automation skills: PowerShell + Bash/Python; ability to build reliable, idempotent automation.
• Directory services, RBAC/group-based access, privileged access patterns, service identities.
• Audit/logging considerations and access review support.
• Comfortable operating within change control and regulated operational processes.
• 5+ years of enterprise experience managing Windows Server and RHEL patching/maintenance at scale.
• Experience with Tanium systems management/patching and compliance reporting (strongly preferred).
• Experience with IAM technologies in hybrid environments (on-prem + Azure).

Nice To Haves

• VMware experience (vSphere operations, templates, snapshot strategy, maintenance coordination).
• Azure experience (compute/network/storage, RBAC, logging/monitoring, policy governance).
• Experience improving posture using Defender for Cloud (CSPM).
• IaC expertise: Terraform and/or Bicep/ARM; GitOps workflows; module design.
• Familiarity with hardening standards (CIS/STIG) and vulnerability management lifecycles.

Responsibilities

• Lead end-to-end patch operations: strategy, ring-based deployments, testing, maintenance windows, approvals, and communications.
• Define and maintain patch baselines for Windows Server 2016–2025 and RHEL 8/9/10, including reboot orchestration and exception workflows.
• Own lifecycle planning: OS version standards, EOL tracking, upgrades, templates/images, and baseline hardening.
• Drive post-maintenance validation (service health, event/log checks, synthetic probes) and implement rollback plans.
• Own and optimize Tanium for patch deployment, compliance reporting, remediation actions, and operational troubleshooting.
• Use Intune for endpoint policy posture and update orchestration where appropriate.
• Build and maintain patch runbooks, automated health checks, and common failure remediation playbooks.
• Use Tanium authenticated scans to validate remediation and produce audit-ready evidence.
• Partner with Security to prioritize remediation based on exploitability, asset criticality, and exposure.
• Convert Horizon3.ai NodeZero findings into actionable remediation plans; validate closure and prevent recurrence.
• Assist in the design and enforce IAM patterns for patching, scanning, and automation: Least privilege access models for administrators, service accounts, automation identities, and scanners.
• Assist in the design and enforce IAM patterns for patching, scanning, and automation: Privileged access controls (e.g., tiered admin, just-in-time access, break-glass procedures).
• Assist in the design and enforce IAM patterns for patching, scanning, and automation: Credential and secret management practices for scripts/automation (vaulting, rotation, non-interactive auth).
• Integrate identity controls with Windows and Linux administration models: AD/Azure AD identity patterns, RBAC, group-based access, role separation.
• Integrate identity controls with Windows and Linux administration models: Linux privilege delegation patterns (sudoers hygiene, centralized identity where applicable).
• Ensure access is auditable and compliant: logging, review/recertification support, and evidence generation.
• Use Microsoft Defender for Cloud recommendations to drive remediation of cloud configuration risks.
• Work with cloud and security teams to implement secure baselines and reduce drift.
• Build automation for patching workflows: pre-checks, phased rollouts, post-checks, exception handling, rollbacks, reporting, and ticket/change integration.
• Introduce and design IaC for Azure and supporting infrastructure using Terraform and/or Bicep/ARM, with Git-based review and promotion workflows.
• Create reusable modules/patterns that standardize provisioning, policy enforcement, and operational readiness.
• Participate in on-call and after-hours maintenance rotations.
• Lead incident response and root cause analysis for patch-related outages; write postmortems and implement preventive controls.
• Maintain clear documentation: standards, runbooks, rollback procedures, and known issue libraries.