Job Description
By clicking the “Apply” button, I understand that my employment application process with Takeda will commence and that the information I provide in my application will be processed in line with Takeda’s Privacy Notice and Terms of Use I further attest that all information I submit in my employment application is true to the best of my knowledge.
We are seeking an experienced and technically deep Windows Device Engineering Lead to own and drive the global endpoint management strategy for approximately 50,000 Windows devices across our worldwide operations. This is a high-impact technical leadership role responsible for the full device lifecycle — from provisioning and configuration to monthly patching, security hardening, and decommission — while coordinating a distributed team of contractors across time zones.
The ideal candidate combines hands-on technical mastery in Microsoft Intune, SCCM/MEMCM, PowerShell scripting, and application packaging with the organizational skills to lead, mentor, and direct an offshore delivery team. You will serve as the primary liaison between endpoint engineering, security, and business stakeholders, ensuring our endpoint estate is compliant, resilient, and operationally excellent.
Key Responsibilities
Endpoint Management & Strategy
- Architect, maintain, and continuously improve the global Windows device management platform using Microsoft Intune and SCCM/MEMCM (co-management and cloud-only environments).
- Define and own configuration baselines, enrollment profiles, compliance policies, and conditional access rules across the ~50,000 endpoint estate.
- Drive the organization's modernization roadmap toward cloud-native device management (Autopilot, Intune-only, co-management).
- Oversee device lifecycle management including provisioning, imaging, refresh cycles, and decommissioning procedures.
Patching & Vulnerability Management
- Own the end-to-end monthly Patch Tuesday cycle: planning, ring-based deployment, remediation tracking, and executive reporting.
- Manage software update servicing (WSUS/SUP, Intune Update Rings, Windows Autopatch) and ensure SLA compliance across all global regions.
- Partner with the Security Operations team to remediate critical and high vulnerabilities within agreed SLO windows.
- Maintain a documented patching run book and escalation path for failures and exceptions.
Security Policy & Compliance (CIS & MDE)
- Implement and enforce CIS Benchmark controls for Windows (Level 1 and Level 2) across the global fleet via Intune configuration profiles and SCCM baselines.
- Own the Microsoft Defender for Endpoint (MDE) deployment, configuration, and health monitoring — including onboarding policies, ASR rules, tamper protection, and threat & vulnerability management.
- Collaborate with the Security team to operationalize MDE alerts, Secure Score improvements, and endpoint detection & response (EDR) posture.
- Conduct periodic compliance reporting against CIS benchmarks and remediate drift; maintain audit-ready documentation.
- Manage and tune Intune compliance and conditional access policies to enforce Zero Trust principles.
PowerShell & Scripting
- Develop, maintain, and peer-review PowerShell scripts for automation across device management tasks including compliance remediation, reporting, inventory, and configuration drift detection.
- Build and maintain CI/CD-friendly script repositories with version control (Git), testing frameworks, and documentation standards.
- Leverage Graph API and PowerShell SDK for Intune to automate tenant configuration, bulk operations, and reporting.
- Champion scripting best practices and provide guidance/code reviews to contractor team members.
Application Packaging & Deployment
- Lead application packaging efforts including Win32 apps (Intune), MSI/EXE/MSIX transforms, and SCCM packages/task sequences.
- Define and maintain application packaging standards, testing procedures, and approval workflows.
- Manage the application catalog, ensuring software is current, licensed, and securely deployed.
- Coordinate with software vendors and internal stakeholders to resolve packaging challenges and dependency conflicts.
Team Leadership & Offshore Coordination
- Lead, coordinate, and quality-assure the work of a team of offshore contractors based primarily in India, including task assignment, sprint planning, and performance feedback.
- Establish clear SLAs, runbooks, and escalation paths to ensure consistent delivery quality across time zones.
- Conduct regular stand-ups, knowledge-transfer sessions, and technical mentorship for the contractor team.
- Manage staffing levels, onboarding, and knowledge continuity to minimize single points of failure.
- Collaborate closely with IT leadership to prioritize the team's backlog against project and operational demands.
Documentation, Reporting & Governance
- Maintain comprehensive documentation for all device management processes, configurations, and operational procedures.
- Produce regular management reporting on endpoint health, patch compliance, security posture, and KPIs.
- Participate in change management processes (CAB), ensuring all changes to the endpoint platform are risk-assessed and communicated.
- Represent the endpoint team in cross-functional meetings with IT Security, Networking, Help Desk, and business units.
Required Qualifications
Experience
- 7+ years of hands-on experience in Windows endpoint management at enterprise scale (10,000+ endpoints).
- Demonstrated experience managing a globally distributed Windows device fleet across multiple geographies.
- 3+ years of experience directly leading or coordinating technical teams, including offshore/nearshore resources.
- Prior experience working within a 24/7 global IT operations model preferred.
Technical Skills — Must Have
- Microsoft Intune — Deep, hands-on expertise in Intune device enrollment (AADJ, Hybrid AADJ, Autopilot), configuration profiles, compliance policies, app deployment, and update rings. Experience with Intune co-management and tenant-attach scenarios. Microsoft Intune:
- SCCM / MEMCM — Strong working knowledge of SCCM site design, client deployment, task sequences, OSD, software update management, and reporting (SSRS). Experience migrating workloads to Intune preferred. SCCM / MEMCM:
- PowerShell — Advanced scripting ability; able to write production-grade scripts without supervision. Proficient with PowerShell modules for Intune (Microsoft.Graph), Active Directory, and Windows management. Comfortable with error handling, logging, and modular script design. PowerShell:
- App Packaging — Proficient with Win32 app packaging for Intune (IntuneWinAppUtil), MSI/MSIX repackaging, silent install parameters, detection rules, and dependency management. Experience with SCCM packages and task sequences. App Packaging:
- CIS Benchmarks — Working knowledge of CIS Microsoft Windows Benchmark controls; experience translating CIS controls into Intune/SCCM policies and tracking compliance. CIS Benchmarks:
- Microsoft Defender for Endpoint (MDE) — Experience deploying and managing MDE at scale, including onboarding, policy configuration, ASR rules, threat & vulnerability management (TVM), and integration with Microsoft Sentinel or SIEM platforms. Microsoft Defender for Endpoint:
Technical Skills — Strong Plus
- Windows Autopatch and Autopilot self-deploying / pre-provisioning scenarios.
- Azure Active Directory / Entra ID — Conditional Access, device compliance integration, hybrid identity.
- Microsoft Endpoint Analytics and Intune reporting workbooks.
- Experience with ITSM tooling (ServiceNow) for change management and incident integration.
- Familiarity with Microsoft Sentinel or Defender XDR for endpoint telemetry correlation.
- Knowledge of ITIL frameworks, particularly incident, change, and problem management.
Preferred Qualifications
- Microsoft 365 Certified: Endpoint Administrator Associate (MD-102) or equivalent certification.
- Microsoft Certified: Security, Compliance, and Identity Fundamentals or Security Operations Analyst Associate (SC-200).
- Experience in highly regulated industries (financial services, healthcare, government) with strict compliance requirements.
- Familiarity with additional endpoint security tools (Microsoft Defender, CrowdStrike, Tanium) is a plus.
- Exposure to non-Windows platforms (macOS, iOS/Android via Intune) in a mixed-OS environment.
- Experience with software license management and hardware asset management processes.
Core Competencies
Technical Leadership
Able to set technical direction, make defensible architectural decisions, and elevate team capability through mentorship.
Cross-Cultural Communication
Communicates clearly and effectively with offshore teams across time zones; adapts communication style for diverse audiences.
Security-First Mindset
Treats endpoint security as a non-negotiable baseline; proactively identifies and closes posture gaps.
Ownership & Accountability
Takes full ownership of outcomes — not just tasks. Escalates early, communicates risk, and drives issues to resolution.
Continuous Improvement
Seeks automation-first solutions to operational toil; champions process documentation and repeatability.
Work Environment & Expectations
- Availability to overlap with India-based contractor team for daily stand-ups and escalations (early morning or late afternoon flexibility required).
- Participation in on-call rotation for critical P1/P2 endpoint incidents and change windows.
- Travel may be required occasionally for team on-sites or major project deployments (estimate: 0–10% annually).
- Must be comfortable operating in a fast-paced, geographically distributed enterprise IT environment with competing priorities.
Takeda Compensation and Benefits Summary
We understand compensation is an important factor as you consider the next step in your career. We are committed to equitable pay for all employees, and we strive to be more transparent with our pay practices.
For Location:
Cambridge, MA
U.S. Base Salary Range:
$137,000.00 - $215,270.00
The estimated salary range reflects an anticipated range for this position. The actual base salary offered may depend on a variety of factors, including the qualifications of the individual applicant for the position, years of relevant experience, specific and unique skills, level of education attained, certifications or other professional licenses held, and the location in which the applicant lives and/or from which they will be performing the job. The actual base salary offered will be in accordance with state or local minimum wage requirements for the job location.
U.S. based employees may be eligible for short-term and/ or long-term incentives. U.S. based employees may be eligible to participate in medical, dental, vision insurance, a 401(k) plan and company match, short-term and long-term disability coverage, basic life insurance, a tuition reimbursement program, paid volunteer time off, company holidays, and well-being benefits, among others. U.S. based employees are also eligible to receive, per calendar year, up to 80 hours of sick time, and new hires are eligible to accrue up to 120 hours of paid vacation.
EEO Statement
Takeda is proud in its commitment to creating a diverse workforce and providing equal employment opportunities to all employees and applicants for employment without regard to race, color, religion, sex, sexual orientation, gender identity, gender expression, parental status, national origin, age, disability, citizenship status, genetic information or characteristics, marital status, status as a Vietnam era veteran, special disabled veteran, or other protected veteran in accordance with applicable federal, state and local laws, and any other characteristic protected by law.
Locations
Cambridge, MA
Worker Type
Employee
Worker Sub-Type
Regular
Time Type
Full time
Job Exempt
YesIt is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.