Job Specifications
Senior Cloud Desktop Engineer (Windows 365 / Azure Virtual Desktop)
Role Summary
We’re seeking a Senior Cloud Desktop Engineer to architect, deploy, and operate enterprise‑scale Windows 365 and/or Azure Virtual Desktop (AVD) environments across multiple global regions. The ideal candidate has led end‑to‑end, production deployments (not POCs), understands multi‑region user experience, and can combine architecture, automation, security, and operations to deliver a consistent, compliant platform at scale (25,000–30,000+ users).
Key Responsibilities
Architecture & Deployment
Design and deliver multi‑region Windows 365/AVD platforms for 25k–30k users including provisioning policies, device sizing, application placement, image strategy, and regional deployment waves.
Select and implement network connectivity models (e.g., Azure Network Connection vs. Global Secure Access) and determine when VPN is required for Cloud PCs.
Define cutover plans, pilot criteria, success metrics, rollback plans, and knowledge transfer.
Networking, Connectivity & Global Access
Engineer resilient global connectivity for Cloud PCs; troubleshoot cross‑region connectivity and latency issues; optimize routing and bandwidth usage.
Establish standards for DNS, routing, and identity flows across regions; evaluate and implement GSA where appropriate.
Image Creation, Hardening & Lifecycle
Build, harden, and maintain gold images for Windows 365/AVD using Intune, MECM/SCCM, MDT, and/or third‑party tooling.
Optimize images for performance (e.g., logon time, disk I/O, Teams optimization), enable repeatable patching and regional consistency.
Security & Access Control
Implement mandatory security controls for Cloud PCs: MFA, Conditional Access, device compliance, baseline hardening, Defender/EDR, DLP, and data exfiltration controls.
Design privilege elevation processes and tooling (e.g., BeyondTrust, LAPS) aligned to least privilege and auditability.
Enterprise Management & Tooling
Operate and scale Intune to 10,000+ devices, balancing Intune policies, GPOs, and third‑party toolsets.
Recommend and integrate advanced tooling for inventory, software delivery, observability, and remote support beyond baseline Intune capabilities.
Performance, Monitoring & Troubleshooting
Define and track VDI KPIs (e.g., logon time, CPU/memory, disk I/O, session stability, Teams/Zoom optimization).
Diagnose performance issues across regions; mitigate security‑agent overhead; drive root cause analysis and durable fixes.
Multi‑Region Architecture & User Experience
Design for consistent UX across NA, EU, and APAC, considering data residency, compliance, and cross‑region latency.
Align application distribution (SaaS, on‑prem, virtualized) with network topology and user proximity.
Configuration as Code & Automation
Manage platform configuration as code using Azure DevOps, GitHub Actions, Terraform (or equivalent); establish version control for Intune/AVD artifacts and CI/CD pipelines.
Automate image pipeline, policy deployment, and environment validation.
Application Delivery Strategy
Determine base image vs. dynamic delivery; package and deliver applications via MSIX App Attach or equivalent technologies.
Optimize real‑time collaboration apps (e.g., Teams, Zoom) for Cloud PCs.
Data & User State Management
Define data strategy across OneDrive, SharePoint, Teams, and traditional home drives; implement user state management for VDI.
Support hybrid scenarios where specific apps require on‑prem storage or low‑latency access.
Minimum Qualifications (Must‑Have)
7+ years in End‑User Computing/VDI/endpoint management; 3+ years leading production Windows 365 or AVD deployments.
Proven end‑to‑end responsibility for at least one enterprise Windows 365/AVD deployment (not a POC), ideally >10k users and multi‑region.
Deep expertise with Windows 365 and/or AVD, Intune, Azure AD/Entra ID, Conditional Access, MFA, and device compliance.
Strong networking fundamentals (latency, bandwidth, routing, DNS) and Azure networking (VNets, peering, vWAN, Private endpoints); practical understanding of ANC vs. GSA; experience assessing VPN requirements for Cloud PCs.
Hands‑on image engineering (creation, hardening, optimization, patching) with Intune/MECM/MDT and consistent flighting across multiple regions.
Proficiency in PowerShell and at least one automation/IaC platform (Terraform preferred; Azure DevOps or GitHub Actions for CI/CD).
Demonstrated ability to monitor and troubleshoot at scale using AVD Insights/Azure Monitor/Log Analytics (or equivalent).
Experience implementing privileged access solutions (e.g., BeyondTrust, LAPS) and data‑loss prevention/exfiltration controls.
Preferred Qualifications
MSIX App Attach packaging and dynamic app delivery experience.
Experience with FSLogix user profile/container strategies and profile performance tuning.
Exposure to Citrix (or other VDI) in hybrid or migration contexts.
Familiarity with ITIL practices and enterprise change man