Sr. Windows Systems & Automation Engineer Remote

Position Overview

At CrowdStrike, a global leader in cybersecurity, we protect the people, processes, and technologies that drive modern organizations. Our mission remains to stop breaches with the world's most advanced AI-native platform. We are seeking a Windows Expert with a proven track record of designing, automating, and securing large-scale enterprise environments. In this role, you will own core Windows platform services – including AD, DNS/DHCP, NPS/RADIUS – build a certificate management service (CMaaS), and lead automation across tens of thousands of endpoints and servers. Additionally, you'll serve as the SCCM expert for endpoint computing, ensuring top-tier troubleshooting and seamless operations across hybrid data centers and multi-cloud environments (AWS + GCP).

CrowdStrike is proud to be an equal opportunity employer committed to creating an inclusive culture where every individual is empowered to succeed.

Key Responsibilities

• Architect, operate, and harden Active Directory (multi-forest, multi-site), DNS/DHCP, and NPS/RADIUS for Wi-Fi/VPN/802.1X (EAP-TLS).
• Lead GPO strategy, OU design, admin tiering, delegation, and AD replication/site topology.
• Own endpoint lifecycle at scale: imaging/OSD, driver/firmware management, software packaging/distribution, update rings, device health/telemetry, and fleet compliance.
• Engineer endpoint security baselines including BitLocker, LAPS, WDAC/AppLocker, Defender/EDR integrations, credential hardening, and certificate deployment for EAP-TLS/mTLS.
• Lead SCCM/MECM architecture and operations: Task Sequences/OSD, app packaging, SUP/WSUS patching, compliance baselines, collections, reporting/CMPivot, and role-based access.
• Drive release rings, maintenance windows, and measurable patch compliance SLOs across large fleets.
• Triage and resolve complex endpoint/server issues such as logon slowness, BSODs/hangs, app crashes, update/install failures, 802.1X/RADIUS authentication problems, and TLS/certificate breakage.
• Utilize deep diagnostics with tools like Sysinternals (ProcMon/ProcExp/Autoruns), Windows Performance Toolkit (WPR/WPA), WinDbg/WER, ETW/WEF, PerfMon, Wireshark, and netsh/packet capture to determine root causes and prevent recurrences.
• Deliver automation solutions using PowerShell, PowerShell DSC, Terraform, and Packer for provisioning, configuration drift control, and compliance with CI/CD tools (GitHub Actions/GitLab/Jenkins).
• Build self-service patterns and APIs for golden images, desired-state baselines, and just-in-time access.
• Design and operate enterprise PKI including policy-driven issuance/renewal, inventory/attestation, CRL/OCSP, and revocation at scale.
• Integrate with ADCS, AWS ACM/ACM Private CA, GCP Certificate Authority Service, Venafi, HashiCorp Vault PKI, and cert-manager/ACME to enable EAP-TLS, service mTLS, code-signing, and device certificates.
• Standardize and harden Windows workloads in AWS (EC2/SSM/KMS/IAM/ACM/Directory Service/Route 53) and GCP (Managed Microsoft AD, GCE, Cloud DNS/KMS/CAS).
• Build reproducible images and baseline configurations for both domain-joined and cloud-native instances.
• Perform hands-on Windows server operations (storage/SMB, DFS, file/print), performance tuning, and core network triage (DHCP/DNS/Kerberos).
• Leverage knowledge in virtualization (VMware vSphere/Hyper-V), backup/restore workflows, and operational monitoring.

Required Qualifications

• 8+ years designing, building, and operating enterprise Windows platforms (server and endpoint) and managing AD, DNS/DHCP, NPS at large scale (10k+ endpoints or equivalent).
• Proven track record in delivering large-scale SCCM (MECM) programs covering OSD/Task Sequences, application packaging, SUP/WSUS patching at fleet scale, compliance baselines, and reporting.
• Experience managing endpoint computing outcomes such as high patch compliance, stable driver/firmware lifecycle, reduced login times, and resilient EAP-TLS/Wi-Fi/VPN performance.
• Expertise in PKI/CMaaS implementations (ADCS, ACM Private CA, GCP CAS, Venafi, Vault PKI, ACME) with capabilities in automated issuance, renewal, and expiry prevention.
• Proficiency with automation and Infrastructure-as-Code tools (PowerShell/DSC, Terraform, Packer) including CI/CD and testing integrations.
• Strong troubleshooting skills using Sysinternals, Windows Performance Toolkit, WinDbg, ETW/WEF, PerfMon, Wireshark, and Windows eventing to drive root cause analysis and preventive measures.
• Deep experience with AWS for Windows workloads combined with practical GCP knowledge for Windows services.
• A robust security background featuring Windows hardening, least privilege/tiered admin practices, RBAC/PAM integrations, SIEM pipeline familiarity, and zero-trust principles.
• Excellent documentation and design writing skills with the ability to lead through influence across Infra, Security, SRE, and Networking teams.

Preferred Qualifications

• Experience with HA/DR/Backup at scale including cross-region AD/DNS designs; familiarity with Veeam, Rubrik, or Cohesity; and knowledge of immutable backups and key management.
• Proven success in automating Enterprise Linux (RHEL/Ubuntu) environments (e.g., via Ansible) and managing macOS at scale (e.g., using Jamf), including certificate/SCEP integrations.
• Skills in IPAM/Infoblox and DHCP failover automation, DNS split-horizon, and API-driven workflows.
• Experience with large-scale observability including WEF subscriptions, SCOM, Prometheus Windows exporters, service-level objectives (SLOs), and error budgeting.
• Familiarity with compliance frameworks such as SOC 2 or ISO 27001 and expertise in evidence automation.