You’ll own the security hardening lifecycle for every Windows workload in our data centres and Azure tenant—domain controllers, IIS and Apache reverse proxies, clustered SQL farms, VMware vSphere nodes, print servers, and legacy line-of-business hosts. Working hand-in-hand with the SOC, infrastructure, and application teams, you will translate scanner output into concrete remediation plans, automate patch roll-outs, and verify that every critical CVE is closed within SLA.
Responsibilities
- Prioritise, schedule, and deploy OS & application patches across 5 000+ Windows Server 2016/2019/2022 machines using WSUS, SCCM/MECM, and Azure Update Manager.
- Interpret Tenable/Qualys/Nessus findings, map them to CVSS scores, asset criticality, and compensating controls, then feed risk data back to Governance & Risk.
- Maintain CIS-aligned GPOs covering password policy, NTLM hardening, SMB signing, TLS/SSL ciphers, and local privilege management; run quarterly drift checks with LGPO or Microsoft DSC.
- Write PowerShell/Desired State Configuration scripts to patch, reboot, and validate servers; generate weekly dashboards showing remediation velocity, SLA compliance, and zero-day exposure.
- Lead CAB submissions, craft back-out plans, and secure downtime windows with application owners; perform smoke tests post-patch and sign off.
- Serve as SME during security incidents involving Windows exploits (e.g., PrintNightmare, Zerologon), supplying rapid mitigation steps and forensic data.
- Evaluate new Microsoft servicing models (WUfB, Azure ARC), third-party patching tools, and vulnerability prioritisation engines to shorten mean time-to-remediate (MTTR).
Must Have
- Deep hands-on Windows Server administration (AD, DNS, PKI, Failover Clustering) plus proven WSUS or SCCM/MECM patch-management experience.
- Practical remediation of high-severity CVEs (e.g., credential-theft, RCE, privilege-escalation).
- PowerShell scripting proficiency for automation, inventory, and compliance checks.
- Familiarity with at least one enterprise vulnerability scanner (Tenable, Qualys, Nessus).
- Strong documentation, change-control, and stakeholder-communication skills in English.
Nice to have
- Exposure to hybrid AD / Azure AD, ADFS, and certificate-authority hardening.
- Experience with EDR tools (Defender for Endpoint, CrowdStrike) and exploit-guard rules.
- Microsoft or GIAC certs such as SC-200, AZ-500, GSEC, GCWN.
- Knowledge of compliance frameworks (ISO 27001, NIST 800-53) and audit evidence gathering.
- Python or Ansible skills for cross-platform automation.
What's great in the job?
Enjoy full ownership of the Windows security roadmap, a dedicated budget for global conferences and advanced training, and day-to-day collaboration with elite blue-team and cloud-architecture engineers. Your measurable impact—closing thousands of CVEs and slashing MTTR—translates directly into performance bonuses, fast-track promotions, and executive visibility.
