Senior Cloud Desktop Engineer

Role Summary
We’re seeking a Senior Cloud Desktop Engineer to architect, deploy, and operate enterprise scale Windows 365 and/or Azure Virtual Desktop (AVD) environments across multiple global regions. The ideal candidate has led end to end, production deployments (not POCs), understands multi region user experience, and can combine architecture, automation, security, and operations to deliver a consistent, compliant platform at scale (25,000–30,000+ users).
Key Responsibilities
Architecture & Deployment
• Design and deliver multi region Windows 365/AVD platforms for 25k–30k users including provisioning policies, device sizing, application placement, image strategy, and regional deployment waves.
• Select and implement network connectivity models (e.g., Azure Network Connection vs. Global Secure Access) and determine when VPN is required for Cloud PCs.
• Define cutover plans, pilot criteria, success metrics, rollback plans, and knowledge transfer.
Networking, Connectivity & Global Access
• Engineer resilient global connectivity for Cloud PCs; troubleshoot cross region connectivity and latency issues; optimize routing and bandwidth usage.
• Establish standards for DNS, routing, and identity flows across regions; evaluate and implement GSA where appropriate.
Image Creation, Hardening & Lifecycle
• Build, harden, and maintain gold images for Windows 365/AVD using Intune, MECM/SCCM, MDT, and/or third party tooling.
• Optimize images for performance (e.g., logon time, disk I/O, Teams optimization), enable repeatable patching and regional consistency.
Security & Access Control
• Implement mandatory security controls for Cloud PCs: MFA, Conditional Access, device compliance, baseline hardening, Defender/EDR, DLP, and data exfiltration controls.
• Design privilege elevation processes and tooling (e.g., BeyondTrust, LAPS) aligned to least privilege and auditability.
Enterprise Management & Tooling
• Operate and scale Intune to 10,000+ devices, balancing Intune policies, GPOs, and third party toolsets.
• Recommend and integrate advanced tooling for inventory, software delivery, observability, and remote support beyond baseline Intune capabilities.
Performance, Monitoring & Troubleshooting
• Define and track VDI KPIs (e.g., logon time, CPU/memory, disk I/O, session stability, Teams/Zoom optimization).
• Diagnose performance issues across regions; mitigate security agent overhead; drive root cause analysis and durable fixes.
Multi Region Architecture & User Experience
• Design for consistent UX across NA, EU, and APAC, considering data residency, compliance, and cross region latency.
• Align application distribution (SaaS, on prem, virtualized) with network topology and user proximity.
Configuration as Code & Automation
• Manage platform configuration as code using Azure DevOps, GitHub Actions, Terraform (or equivalent); establish version control for Intune/AVD artifacts and CI/CD pipelines.
• Automate image pipeline, policy deployment, and environment validation.
Application Delivery Strategy
• Determine base image vs. dynamic delivery; package and deliver applications via MSIX App Attach or equivalent technologies.
• Optimize real time collaboration apps (e.g., Teams, Zoom) for Cloud PCs.
Data & User State Management
• Define data strategy across OneDrive, SharePoint, Teams, and traditional home drives; implement user state management for VDI.
• Support hybrid scenarios where specific apps require on prem storage or low latency access.
Minimum Qualifications (Must Have)
• 7+ years in End User Computing/VDI/endpoint management; 3+ years leading production Windows 365 or AVD deployments.
• Proven end to end responsibility for at least one enterprise Windows 365/AVD deployment (not a POC), ideally >10k users and multi region.
• Deep expertise with Windows 365 and/or AVD, Intune, Azure AD/Entra ID, Conditional Access, MFA, and device compliance.
• Strong networking fundamentals (latency, bandwidth, routing, DNS) and Azure networking (VNets, peering, vWAN, Private endpoints); practical understanding of ANC vs. GSA; experience assessing VPN requirements for Cloud PCs.
• Hands on image engineering (creation, hardening, optimization, patching) with Intune/MECM/MDT and consistent flighting across multiple regions.
• Proficiency in PowerShell and at least one automation/IaC platform (Terraform preferred; Azure DevOps or GitHub Actions for CI/CD).
• Demonstrated ability to monitor and troubleshoot at scale using AVD Insights/Azure Monitor/Log Analytics (or equivalent).
• Experience implementing privileged access solutions (e.g., BeyondTrust, LAPS) and data loss prevention/exfiltration controls.
Preferred Qualifications
• MSIX App Attach packaging and dynamic app delivery experience.
• Experience with FSLogix user profile/container strategies and profile performance tuning.
• Exposure to Citrix (or other VDI) in hybrid or migration contexts.
• Familiarity with ITIL practices and enterprise change management.
• Relevant certifications: Microsoft Certified: Azure Virtual Desktop Specialty, Azure Administrator, or equivalent.
Success Measures (First 6–12 Months)
• Architecture approved for multi region Windows 365/AVD supporting 25k–30k users, with clear cutover and risk mitigation plans.
• Hardened base images and automated patching pipeline in place; measurable improvement in logon time and session performance.
• Monitoring & KPIs implemented with alerting and dashboards; established SLA/SLOs for availability and UX.
• Configuration as code repositories and CI/CD pipelines operational; peer review and rollback standards defined.
• Security & compliance baselines enforced globally with regional variations documented and audited.

We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to HR@insightglobal.com.To learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy: https://insightglobal.com/workforce-privacy-policy/.

• Led a production Windows 365 or AVD deployment (not a POC) with >10k users and at least 2 regions.
• Can articulate ANC vs. GSA differences and when/why to use each.
• Provides a clear image lifecycle approach (build, harden, patch, flight, rollback).
• Demonstrates automation/IaC with real examples (Terraform, pipelines, version control).
• Explains KPIs and methods for performance troubleshooting (logon time, CPU/memory, I/O, Teams optimization).
• Details privilege elevation and data exfiltration prevention strategies.

• Concrete experience optimizing Teams/Zoom on Cloud PCs.
• Shows design decisions balancing data residency, compliance, and UX across NA/EU/APAC.
• Can discuss trade offs of base image vs. dynamic app delivery including MSIX App Attach.
• Evidence of running Intune at 10k+ scale and when to augment with third party tooling.

Benefit packages for this role will start on the 1st day of employment and include medical, dental, and vision insurance, as well as HSA, FSA, and DCFSA account options, and 401k retirement account access with employer matching. Employees in this role are also entitled to paid sick leave and/or other paid time off as provided by applicable law.