SCCM L3 Engineer

Job details

Key Responsibilities

Patch Management & Automation

Own end-to-end patch management for Windows servers and workstations using SCCM / MECM — from patch ring design and deployment rules to maintenance window scheduling and success validation.
Design, build, and maintain fully automated patching workflows using SCCM task sequences, ADRs (Automatic Deployment Rules), and PowerShell scripts — minimizing manual intervention to zero.
Continuously identify and eliminate manual steps from the patching process; document every step in a reproducible, peer-reviewable runbook.
Define and execute pre-patch and post-patch validation checklists; ensure patch compliance reporting is accurate and timely.
Investigating patch failures promptly — correlate with environment changes (network, firewall, GPO), produce RCAs, and drive resolution with the right stakeholders.

SCCM Environment Management

Manage and optimize SCCM infrastructure: site servers, distribution points, management points, boundaries, and boundary groups.
Design and maintain collection structures, deployment packages, and application models for both software distribution and OS deployment (OSD).
Perform SCCM health checks, database maintenance, client health remediation, and site hierarchy optimization.
Manage and troubleshoot SCCM client deployment, client push, and client communication issues at scale.
Maintain and improve SCCM co-management configuration where Intune is in scope.

Operational Ownership

Act as the escalation point (L3) for SCCM-related incidents — take ownership from initial triage through to resolution without requiring hand-holding.
Proactively monitor patching status and environment health; raise issues before customers do.
Produce post-maintenance window reports covering patch success rates, failures, root causes, and next actions — without prompting.
Maintain a stakeholder matrix for server owners, firewall teams, and access owners; build and use escalation paths independently.
Conduct structured knowledge transfer to backup engineers; ensure no single point of failure in the patching process.

Documentation & Process

Own the SCCM runbook library — create, maintain, and version-control end-to-end process documentation for all patching and deployment activities.
Document all automation scripts with inline comments, version history, and usage instructions.
Participate in change management processes — prepare RFC documentation, risk assessments, and rollback plans for SCCM changes.

Required Qualifications (Must Have)

Extensive experience in Active Directory engineering within enterprise environments
Proven, hands-on expertise in:
Active Directory Tiering model (Tier 0 / Tier 1 / Tier 2) – mandatory
Microsoft Entra ID (Azure AD)
Conditional Access (design & enforcement)
Privileged Identity Management (PIM)
Group Policy (GPO)
Hybrid identity (AD Connect / Entra ID sync)
Strong experience with:
Access governance and access reviews
Identity security and privileged access controls
Advanced troubleshooting (AD, authentication, identity sync)
Proven ability to operate as a expert engineer / SME / technical lead

Mandatory Microsoft Certifications

Microsoft Certified: Identity and Access Administrator Associate (SC-300)
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-800 & AZ-801)

Preferred / Nice to Have

Key Competencies

Ideal Candidate

A senior identity expert who owns Active Directory Tiering end-to-end, has strong command of Microsoft Entra ID, Conditional Access, and PIM, and can drive identity security maturity across hybrid environments.