Prioritise, schedule, and deploy OS & application patches across 5 000+ Windows Server 2016/2019/2022 machines using WSUS, SCCM/MECM, and Azure Update Manager.
Interpret Tenable/Qualys/Nessus findings, map them to CVSS scores, asset criticality, and compensating controls, then feed risk data back to Governance & Risk.
Maintain CIS-aligned GPOs covering password policy, NTLM hardening, SMB signing, TLS/SSL ciphers, and local privilege management; run quarterly drift checks with LGPO or Microsoft DSC.
Write PowerShell/Desired State Configuration scripts to patch, reboot, and validate servers; generate weekly dashboards showing remediation velocity, SLA compliance, and zero-day exposure.
Lead CAB submissions, craft back-out plans, and secure downtime windows with application owners; perform smoke tests post-patch and sign off.
Serve as SME during security incidents involving Windows exploits (e.g., PrintNightmare, Zerologon), supplying rapid mitigation steps and forensic data.
Evaluate new Microsoft servicing models (WUfB, Azure ARC), third-party patching tools, and vulnerability prioritisation engines to shorten mean time-to-remediate (MTTR).