Modern Workplace / End User Compute Engineer
We are looking for a Modern Workplace / End User Compute (EUC) Engineer to join our managed services practice. You will be the technical owner for a portfolio of client estates, designing, delivering and supporting cloud-first endpoint and virtual desktop platforms built on Microsoft 365, Intune, Entra ID and Azure Virtual Desktop.
This is a hands-on engineering role with real client exposure. You will work alongside architects, project managers and service desk teams to migrate clients away from legacy on-premises management toward modern, zero-trust, cloud-managed environments, and keep those environments secure, patched and performant. Expect a mix of project delivery, escalations from the service desk, and continuous improvement of our managed offerings.
Key responsibilities Modern endpoint management• Intune & Autopilot: design, build and operate Microsoft Intune tenants — including Autopilot enrolment profiles, configuration profiles, compliance policies, Endpoint Security baselines and Update Rings across Windows 10/11.
• Application packaging & delivery: package and deploy Win32 apps, MSIX, store apps and Office/Microsoft 365 Apps via Intune; manage app lifecycle, supersedence and assignment strategies.
• Identity & access: configure Entra ID (formerly Azure AD), Conditional Access, MFA, SSPR, hybrid join, and Entra ID Connect synchronisation.
• Co-management & migration: migrate clients from SCCM / Configuration Manager and on-premises AD-joined estates to cloud-native, Entra-joined management.
Windows patch & update management• Update strategy: design and operate Windows Update for Business (WUfB) policies, Update Rings, feature update profiles and Expedited update policies via Intune for both physical and virtual endpoints.
• Windows Autopatch: onboard eligible client tenants to Windows Autopatch, manage device and update groups, and triage release health alerts.
• Third-party patching: deploy and maintain third-party application patching via Intune (Win32 supersedence, Patch My PC, or equivalent) to keep browsers, runtimes and line-of-business apps current.
• Server & infrastructure patching: co-ordinate Azure Update Manager / WSUS scheduling for AVD session hosts, gold images and any remaining management infrastructure.
• Compliance & reporting: produce monthly patch compliance reports for clients using Intune reporting, Endpoint Analytics and Log Analytics; investigate and remediate non-compliant devices.
• Vulnerability response: work with the security team to prioritise out-of-band patches in response to CVEs and Microsoft Defender Vulnerability Management findings.
Virtual desktop & cloud workspace• Azure Virtual Desktop (AVD): deploy and operate AVD host pools, session hosts, FSLogix profile containers, image management (custom images, Azure Image Builder) and scaling plans.
• Windows 365: provision and manage Cloud PCs, custom images, provisioning policies and user assignment.
• Citrix (advantageous): support of existing Citrix DaaS / CVAD estates during migration to Microsoft-native alternatives.
• Performance & cost: monitor session performance, right-size hosts and Cloud PCs, and contribute to FinOps reporting for client environments.
Service delivery & client engagement• Third-line support: act as a senior escalation point for the service desk on EUC, Intune and AVD incidents and problems.
• Change & release: raise, peer-review and implement RFCs across multiple client tenants in line with ITIL change management.
• Documentation: produce and maintain high-quality build documents, run-books, low-level designs and knowledge base articles.
• Client-facing delivery: join client workshops, technical design sessions and project handovers; explain trade-offs in plain language to non-technical stakeholders.
Continuous improvement & automation• PowerShell & Graph API: automate provisioning, reporting and tenant configuration using PowerShell, Microsoft Graph and Graph PowerShell SDK.
• Service development: feed back into our managed service standards, baselines and reference architectures so every new client benefits from prior work.
Essential skills and experience
• 3–5 years' hands-on experience in an End User Compute, Modern Workplace or Desktop Engineering role.
• Strong production experience with Microsoft Intune, Autopilot and Endpoint Security, ideally across multiple tenants.
• Solid working knowledge of Entra ID, Conditional Access, MFA and modern identity concepts (Zero Trust, device-based trust).
• Experience delivering and supporting at least one virtual desktop platform in production — Azure Virtual Desktop, Windows 365 or Citrix.
• Hands-on experience operating Windows patch management at scale — Windows Update for Business, Update Rings, feature update controls and patch compliance reporting.
• Confident with Windows 10/11, Microsoft 365 Apps, OneDrive Known Folder Move and Teams desktop deployment.
• Practical PowerShell scripting ability — comfortable reading, modifying and writing scripts that interact with Graph and Azure.
• Excellent written English and the ability to produce clear technical documentation for both peers and clients.
• Experience working in an ITIL-aligned environment with formal incident, problem and change processes.
Desirable skills and experience• Prior experience in a Managed Service Provider (MSP) or IT consultancy environment.
• Exposure to macOS management via Intune or Jamf.
• Familiarity with SCCM / Configuration Manager and co-management migrations.
• Experience with Windows Autopatch, Azure Update Manager or third-party patching tooling (Patch My PC, Ivanti, ManageEngine).
• Experience with FSLogix, App Attach and image management pipelines.
• Working knowledge of Defender for Endpoint, Defender Vulnerability Management and Microsoft Purview.
• Experience with Power Platform — particularly Power Automate for EUC workflows.
CertificationsWe are pragmatic about certifications — proven, hands-on experience matters most. However, there may be occasions where we require certification. The following are considered favourably and we will fund continued study and exam costs.
• Expected or in progress: MD-102 Endpoint Administrator Associate or MS-102 Microsoft 365 Administrator Expert.
• Advantageous: AZ-140 (AVD Specialty), SC-300 (Identity & Access Administrator), AZ-104 (Azure Administrator).
What you bring as a person• A genuine curiosity for how things work — you read release notes, follow the product roadmaps and enjoy experimenting in a lab tenant.
• Calm under pressure during P1 incidents, with a structured approach to troubleshooting.
• A consulting mindset: you ask why before how, and tailor solutions to the client's size, sector and risk appetite.
• Strong communication — you can explain Conditional Access to a CFO and a junior engineer in the same week.
• Pride in clean, well-documented work that the rest of the team can pick up without you.
What we offer• Genuine variety of work across multiple clients, sectors and platforms — no two weeks are the same.
• A senior, supportive engineering team and an architect community that mentors mid-level engineers toward Senior and Principal roles.
• Funded certifications, vendor training and a dedicated learning day every month.
• Competitive salary, pension, private medical and 25 days' holiday plus bank holidays.