Sr Intune Endpoint Engineer

Stefanini Group is looking for Sr. Intune Endpoint Engineer for a globally recognized company!For interested applicants, click the apply button or you may reach out to Alfher Hidalgo at / for faster processing. Thank you!We're hiring a Senior Intune Endpoint Engineer to take ownership of a partially migrated Intune tenant and bring it to a stable, predictable, and auditable state. This role requires someone who is deeply hands-on with Intune internals (IME behavior, detection logic, precedence/conflicts, filters, ESP), strong in Win32 app packaging, and disciplined about testing, rollout rings, and documentation.Core Responsibilities

Stabilization, Troubleshooting, and Intune 'Internals'Own day-to-day engineering and escalation for Intune: policies, apps, enrollment, compliance, and updates.Troubleshoot when policies/apps don't apply using a structured approach (assignment/scoping, filters, licensing, device state, IME logs, MDM diagnostics, event logs).Diagnose and remediate policy conflicts and precedence issues across configuration profiles, security baselines, compliance policies, scripts, and (where applicable) co-management/GPO overlap.Perform deep Windows troubleshooting when needed (Event Viewer, Services, Scheduled Tasks, registry, MDM diagnostics) to resolve issues without reimaging.

Win32 App Packaging, Detection, and AutomationPackage and deploy complex Windows applications (non-MSI installers, multiple components, prerequisites) using Win32 app model.Build reliable detection rules, install/uninstall logic, versioning, and logging standards; manage supersedence and dependencies.Create repeatable packaging standards (folder structure, log locations, naming/versioning conventions) and automate where possible with PowerShell and Graph.

Autopilot and ProvisioningDesign, implement, and test Autopilot deployments (deployment profiles, ESP, device naming, dynamic groups, required apps, enrollment flows).Establish a repeatable Autopilot test plan and acceptance criteria before expanding scope.

Update Rings, Feature Management, and VerificationImplement and manage Windows Update for Business: update rings, feature update policies, quality updates, deadlines, and safeguards.Verify what is actually happening on devices (Intune reporting + device-side validation) and troubleshoot update compliance gaps.

Governance, Change Control, and DocumentationImplement operational maturity: change control, peer review (where applicable), pilot rings, rollback plans, and post-change validation.Maintain documentation that supports auditability and long-term maintainability: runbooks, standards, 'why' behind configurations, and conflict-avoidance guidance.Produce drift detection and baseline comparison outputs (e.g., export Intune objects, compare to a golden baseline, report differences).

Security Layering Without CollisionsPartner with Security/IAM to layer WUfB + Defender + compliance + baselines + Conditional Access in a way that avoids conflicting settings and unintended lockouts.Ensure endpoint security posture is strong while maintaining usability and operational stability.

Required Qualifications5+ years in endpoint engineering/EUC with significant enterprise Intune ownership.Proven experience stabilizing or cleaning up a partially migrated / inconsistent Intune environment.Strong knowledge of:Intune Management Extension (IME) behavior, Win32 app processing, and log-based troubleshootingPolicy assignment/scoping, filters, and conflict resolutionAutopilot + ESP design and troubleshootingWindows Update for Business rings and feature update controlStrong Windows 10/11 troubleshooting skills (Event Viewer, services, scheduled tasks, registry, MDM diagnostics).Strong PowerShell skills used routinely for automation, reporting, and troubleshooting (Graph API preferred).Ability to write clear documentation and operate with disciplined change control.Preferred QualificationsCo-management (ConfigMgr/SCCM) experience and understanding of how it can shadow or override Intune behavior.Defender for Endpoint and endpoint security policy experience (BitLocker, ASR, firewall, security baselines).macOS and/or mobile management experience (iOS/iPadOS, Android Enterprise).PKI/cert profiles (SCEP/PKCS), Wi-Fi/VPN profiles, and enterprise networking integrations.Certifications (nice to have): MD-102, Azure/Entra, Security certs.

#LI-AH1#LI-REMOTE