Windows/Linux Patching, Maintenance & Automation Engineer

Position OverviewThe Windows/Linux Patching, Maintenance & Automation Engineer is responsible for enterprise-wide patching, OS maintenance, and automation across Windows Server 2016-2025 and RHEL 8/9 in VMware and Azure environments. This role will also assist with Identity and Access Management (IAM) technologies to ensure secure, auditable access patterns for systems management, scanning, and automation. You will lead patch strategy, drive remediation based on authenticated scan results and pen test findings and introduce Infrastructure as Code (IaC) to improve standardization, speed, and security.Essential Duties And Responsibilities Ownership of Patching & Maintenance (Windows + RHEL)Lead end-to-end patch operations: strategy, ring-based deployments, testing, maintenance windows, approvals, and communications.Define and maintain patch baselines for Windows Server 2016-2025 and RHEL 8/9/10, including reboot orchestration and exception workflows.Own lifecycle planning: OS version standards, EOL tracking, upgrades, templates/images, and baseline hardening.Drive post-maintenance validation (service health, event/log checks, synthetic probes) and implement rollback plans. Tooling Leadership (Tanium + Intune)Own and optimize Tanium for patch deployment, compliance reporting, remediation actions, and operational troubleshooting.Use Intune for endpoint policy posture and update orchestration where appropriate.Build and maintain patch runbooks, automated health checks, and common failure remediation playbooks. Security Validation & Vulnerability RemediationUse Tanium authenticated scans to validate remediation and produce audit-ready evidence.Partner with Security to prioritize remediation based on exploitability, asset criticality, and exposure.Convert Horizon3.ai NodeZero findings into actionable remediation plans; validate closure and prevent recurrence. IAM Responsibilities (Hybrid Identity)Assist in the design and enforce IAM patterns for patching, scanning, and automation:Least privilege access models for administrators, service accounts, automation identities, and scannersPrivileged access controls (e.g., tiered admin, just-in-time access, break-glass procedures)Credential and secret management practices for scripts/automation (vaulting, rotation, non-interactive auth)Integrate identity controls with Windows and Linux administration models:AD/Azure AD identity patterns, RBAC, group-based access, role separationLinux privilege delegation patterns (sudoers hygiene, centralized identity where applicable)Ensure access is auditable and compliant: logging, review/recertification support, and evidence generation. Azure Configuration Posture (CSPM-driven)Use Microsoft Defender for Cloud recommendations to drive remediation of cloud configuration risks.Work with cloud and security teams to implement secure baselines and reduce drift. Automation & Infrastructure as Code (IaC)Build automation for patching workflows: pre-checks, phased rollouts, post-checks, exception handling, rollbacks, reporting, and ticket/change integration.Introduce and design IaC for Azure and supporting infrastructure using Terraform and/or Bicep/ARM, with Gitbased review and promotion workflows.Create reusable modules/patterns that standardize provisioning, policy enforcement, and operational readiness. Operational ExcellenceParticipate in on-call and after-hours maintenance rotations.Lead incident response and root cause analysis for patch-related outages; write postmortems and implement preventive controls.Maintain clear documentation: standards, runbooks, rollback procedures, and known issue libraries.Required QualificationsProven ability to lead patch strategy (rings, baselines, risk management, validation, reporting).Strong automation skills: PowerShell + Bash/Python; ability to build reliable, idempotent automation.Directory services, RBAC/group-based access, privileged access patterns, service identitiesAudit/logging considerations and access review supportComfortable operating within change control and regulated operational processes.Preferred QualificationsVMware experience (vSphere operations, templates, snapshot strategy, maintenance coordination).Azure experience (compute/network/storage, RBAC, logging/monitoring, policy governance).Experience improving posture using Defender for Cloud (CSPM).IaC expertise: Terraform and/or Bicep/ARM; GitOps workflows; module design.Familiarity with hardening standards (CIS/STIG) and vulnerability management lifecycles.Technologies & Tooling (Environment Fit)Hybrid: VMware, Microsoft AzureOS: Windows Server 2016-2025; RHEL 8/9Mgmt/Patching: Tanium, IntuneSecurity: Tanium authenticated scans, Horizon3.ai NodeZeroCloud posture: Microsoft Defender for Cloud (CSPM)Automation/IaC: PowerShell, Bash/Python, Terraform/Bicep/ARM, Git workflowsIAM: AD/Azure AD (Entra ID), RBAC/role design, privileged access patterns, service identities/secret ManagementSuccess MetricsPatch compliance and vulnerability SLA adherence (verified by authenticated scanning)Reduction in critical/high findings over time (including NodeZero-driven issues)Decrease in manual patching effort via automation/IaC (hours saved / workflows automated)Improvement in Defender for Cloud posture metrics and recommendation closure rateReduction in patch-related incidents and faster recovery when issues occurEducation And Experience5+ years of enterprise experience managing Windows Server and RHEL patching/maintenance at scale.Experience with Tanium systems management/patching and compliance reporting (strongly preferred).Experience with IAM technologies in hybrid environments (on-prem + Azure):Work EnvironmentWhile performing the duties of this Job, the employee is occasionally exposed to moving mechanical parts, and fumes or airborne particles. The noise level in the work environment will range from quiet to moderately loud.Employer RightsThis job description is intended to provide general information about the Windows/Linux Patching, Maintenance & Automation Engineer position. The above does not constitute an exhaustive list of the job duties to be performed by an associate holding the position of Windows/Linux Patching, Maintenance & Automation Engineer, nor are the lists of the physical requirements and environmental conditions exhaustive. You may be asked by your supervisor or managers to perform other duties. Your performance will be evaluated in part based upon your performance of the job duties listed in this job description, as well as any job duties not specifically listed above that you may be askedfrom time to time to perform.As with all positions, the duties and responsibilities are subject to change at any time as needs arise and at thediscretion of the RJW Transport, Inc. The Company has the right to revise this job description at any time.Employment-At-WillIt is the Company’s policy that all associates, other than those covered by a written individual employment or labor agreement with the Company that has been authorized in writing by the Company’s Chief Executive Officer or Board of Directors, are not employed for any fixed term and are employed at the will of the Company for an indefinite period. Just as our associate’s, reserve the right to resign their employment at any time for any reason the Company reserves its right to terminate an associate any time for any reason either with or without cause.Neither this Job Description nor any of its individual terms constitute commitments between the Company and its associates as to the terms, conditions, or duration of employment, nor does it modify the prevailing Employment-At-Will relationship.