Overview
Every TontonTools product is a single-file WPF application that runs on the administrator workstation. No agent runs on managed endpoints, no server component is installed in your environment, no Internet exposure is required beyond the standard Microsoft and licensing endpoints. This page covers the full lifecycle: installing a tool, completing the first-launch configuration, verifying connectivity, updating to newer versions, and uninstalling cleanly.
Because credentials and license state are stored in a per-user folder shared across the suite, installing one tool typically pays off for all subsequent tools the same operator uses. The first launch of the first tool does the heavy lifting; every subsequent tool inherits the credentials and may only ask for license activation.
Workstation-only
All products run on the administrator workstation. Nothing is deployed to managed endpoints. The same workstation can host any subset of the suite. Windows 10 22H2 or Windows 11.
No agent, no server
No always-on service, no background process. Each tool starts when launched, performs its work, and exits. Nothing listens, nothing phones home outside of license validation (at most weekly).
DPAPI credential storage
Credentials are DPAPI-encrypted under %AppData%\TontonTools\credentials.dat. Tied to the current Windows user account on the current workstation. Unreadable by any other user, even an administrator.
Shared across the suite
Credentials, SCCM auto-detection cache, and license state live under %AppData%\TontonTools\ and are read by every tool on the same Windows user. Install one tool, configure once, all tools benefit.
System requirements
| Requirement | Minimum |
|---|---|
| Operating system | Windows 10 22H2 or Windows 11. Domain-joined recommended (required for any tool that touches SCCM, Active Directory, or uses single sign-on against Entra ID). |
| .NET Framework | 4.7.2 or later. Already installed on every supported version of Windows 10 and Windows 11 by default. |
| Disk space | ~100 MB per tool installed. Tools that produce intermediate working files (notably SIM, which stages .intunewin packages) may temporarily use additional space under C:\TEMP — cleaned up after each operation. |
| RAM | ~250 MB at runtime per tool. The suite is lightweight; multiple tools open at once on a developer workstation is comfortable. |
| Windows user account | A standard domain user. Local administrator rights are NOT required for any tool. Tool-specific permissions (SCCM, AD, Graph) are scoped per tool and documented in the corresponding reference pages. |
| Network egress | Outbound HTTPS to graph.microsoft.com (Graph), *.blob.core.windows.net (only for SIM, Azure Blob upload), the SCCM site server (RPC TCP 135 + dynamic ports, only for SCCM-touching tools), a writable domain controller (LDAP TCP 389, only for DDE / GPDEU / GPUED), and api.lemonsqueezy.com (license validation, at most weekly). |
| RSAT ActiveDirectory module | Required ONLY for GPDEU and GPUED (which invoke Get-ADUser via PowerShell). Optional for all other tools. |
| SCCM console | NOT required. SCCM-touching tools query the SMS Provider directly via WMI. The console install is convenient for verification but never a prerequisite. |
Installation methods
TontonTools products are delivered as single self-contained .exe files. There is no MSI installer, no companion runtime to install, no Windows service to register. The right deployment method depends on how many operators will use the suite and how your organization governs administrator tooling.
Method 1 — Manual download (single operator)
The simplest approach for evaluators, single-operator scenarios, and lab environments. Download the .exe from the post-purchase link delivered by Lemon Squeezy (or from the trial download link on the product page), place it anywhere the operator can run it from — typically C:\Tools\TontonTools\ or the operator's desktop — and double-click to launch. No installer wizard, no UAC prompt unless the destination folder requires elevation.
When updating to a new version, replace the .exe with the new one. Credentials and license state persist in %AppData%\TontonTools\ regardless of where the executable lives.
Method 2 — SCCM packaging (recommended for multi-operator teams)
For IT teams who want to deploy the suite to all operator workstations in a controlled manner — typical of mid-size and enterprise environments. Wrap each .exe in a standard SCCM Application or Package, target a User Collection or Device Collection covering the operator workstations, and let SCCM handle the deployment and updates.
A minimal SCCM Application can use this install command (assuming the .exe is named DeleteDeviceEverywhere.exe and lives at the content source root): cmd /c xcopy /Y "DeleteDeviceEverywhere.exe" "%ProgramFiles%\TontonTools\". Detection rule: file %ProgramFiles%\TontonTools\DeleteDeviceEverywhere.exe exists. No reboot required, no return code checks beyond standard MSI defaults.
Method 3 — Group Policy software installation
For environments without SCCM but with Active Directory, a Group Policy software installation can deploy the .exe to a curated set of operator workstations. The same caveat as SCCM applies: the .exe is the entire deliverable, no MSI wrapper is provided by TontonTools. If your organization mandates MSI for GPO deployment, repackage the .exe into an MSI with a tool like Advanced Installer or PSAppDeployToolkit.
Method 4 — Intune Win32 LOB deployment
For organizations that have migrated their endpoint management to Intune, the TontonTools .exe files can be packaged as Win32 LOB apps using the official IntuneWinAppUtil.exe and deployed to operator devices. The same TontonTools product SIM can be used internally to perform this packaging if SCCM is part of the migration — a pleasant self-referential use case.
First launch — configuration flow
On first launch of any TontonTools product, the application runs through a deliberate sequence of bootstrap steps. The order matters: license is resolved before credentials are requested (no point asking for sensitive credentials from a user who is not licensed to use the tool), and credentials are auto-detected before prompting (no point asking the operator for values the workstation already knows).
- 1
1. License check
The license bootstrap runs first. If a valid license already exists in %AppData%\TontonTools\ from a previous run or a sibling tool, it is silently re-validated and the tool proceeds. If no license is found, a license dialog appears offering three options: start a 14-day trial (no credit card, no email required), activate with an order email and license key, or cancel. Trial mechanics, machine and tenant binding, and reactivation flows are documented in the Licensing reference.
- 2
2. License tier banner (Migrator only)
For the SCCM to Intune App Migrator (SIM), once the license is resolved, a permanent banner at the top of the window shows the current tier with a distinctive colour code (Trial copper, Small/Medium green, Large premium violet). For the other nine products, no banner is displayed because there is only one tier of access per subscription.
- 3
3. Credentials auto-detection
Before opening the credentials dialog, the tool attempts to silently auto-detect what it can. For SCCM-touching tools, a 4-method cascade tries the SCCM cache file %AppData%\TontonTools\sccm-cache.json (validated against WMI), then the local registry for an SCCM client install, then a direct WMI namespace probe at root\sms, then a check for an SCCM console install. If any method succeeds, the SCCM Server FQDN and Site Code are pre-filled in the credentials dialog. Auto-detection is best-effort — failure is silent and falls through to manual entry.
- 4
4. Credentials dialog
The unified TontonTools credentials dialog appears, showing only the sections the tool actually needs (Graph, SCCM, AD). Fields are pre-filled from any previously-saved credentials and from auto-detection results. For Graph, three authentication modes are offered: Client Secret (fastest setup), Certificate (production-grade, JWT Client Assertion), or Interactive (uses the operator's own Entra ID identity, no app registration required for delegated permissions).
- 5
5. Tenant resolution + token cache
On Save, Graph credentials are validated by acquiring a token against the tenant. The tenant display name and primary domain are fetched and shown in the header. The token is cached in the running session and reused by every tab and operation until the operator clicks the Credentials button to re-prompt.
- 6
6. Ready
The status bar shows "Ready", the main window is enabled, and the operator can proceed with the tool's primary workflow. The exact next steps depend on the tool: SIM opens its 5-tab UI, DDE opens its 4-system deletion form, AUC opens its user-to-collection picker, and so on.
Credentials storage
Credentials are stored in a single DPAPI-encrypted file at %AppData%\TontonTools\credentials.dat. DPAPI (Data Protection API) is the Windows-native encryption mechanism that binds encrypted data to a specific user account on a specific machine. The file is unreadable by any other user on the same workstation — even a local administrator cannot decrypt it without impersonating the original user — and is unreadable on any other machine.
| Aspect | Detail |
|---|---|
| Encryption mechanism | DPAPI with DataProtectionScope.CurrentUser |
| Storage path | %AppData%\TontonTools\credentials.dat |
| Companion file | %AppData%\TontonTools\sccm-cache.json (best-effort SCCM auto-detection cache, plaintext but contains no secrets — just the SCCM Server FQDN and Site Code) |
| Sharing model | Shared across all TontonTools products run by the same Windows user on the same workstation |
| Portability | NOT portable. Copying credentials.dat to another machine or another user makes it unreadable. This is by design. |
| Reset / clear | Delete the file manually, or click "Clear credentials" in the Credentials dialog. Next launch re-prompts. |
| Backup model | No backup needed. Credentials are re-enterable in seconds. The file is small (<1 KB) but considered ephemeral state, not user data. |
Network connectivity check
Each tool only needs the network destinations relevant to its function. The table below lists every outbound destination the suite as a whole can reach, with a note about which tool drives which connection. If your environment has a strict outbound firewall policy, use this table to whitelist what is actually required.
| Destination | Port / Protocol | Used by | Purpose |
|---|---|---|---|
| graph.microsoft.com | HTTPS / 443 | DDE, ODM, DDM, ODC, SIM | Microsoft Graph API for Entra ID, Intune, and Graph Apps |
| login.microsoftonline.com | HTTPS / 443 | Same as above | Token acquisition for Microsoft Graph |
| *.blob.core.windows.net | HTTPS / 443 | SIM only | Azure Blob Storage chunked upload for Win32 LOB packaging |
| SCCM site server FQDN | RPC TCP 135 + dynamic high ports | DDE, AUC, ADC, CDS, GPDEU, GPUED, SIM | WMI access to root\sms\site_<X> namespace |
| Writable domain controller | LDAP TCP 389 (or LDAPS 636) | DDE, GPDEU, GPUED | Direct LDAP (DDE) or PowerShell Get-ADUser (GPDEU/GPUED) |
| Active Directory Web Services | TCP 9389 | GPDEU, GPUED (alternative to LDAP) | Used by the RSAT ActiveDirectory PowerShell module under certain network conditions |
| api.lemonsqueezy.com | HTTPS / 443 | All products | License validation, at most once per 7-day window. Offline grace period of 14 days if unreachable. |
Three quick PowerShell checks cover the most common deployment scenarios:
| Check | PowerShell command | Expected result |
|---|---|---|
| Microsoft Graph reachable | Test-NetConnection graph.microsoft.com -Port 443 | TcpTestSucceeded : True |
| SCCM site server reachable (if applicable) | Test-NetConnection <sccm-server-fqdn> -Port 135 | TcpTestSucceeded : True |
| Domain controller reachable (if applicable) | Test-NetConnection (Get-ADDomainController -Discover -Service ADWS -DiscoverOption ForceDiscover).HostName -Port 389 | TcpTestSucceeded : True |
Verifying the installation
A simple end-to-end smoke test that confirms the installation succeeded:
- 1
1. Launch the tool
Double-click the .exe. The application window appears within 2-3 seconds. If a license dialog appears, the application has loaded successfully. If you see a Windows error about a missing .NET Framework, install .NET Framework 4.7.2 from Windows Settings → Apps → Optional Features.
- 2
2. Complete the license step
Start the 14-day trial or activate with the order email and license key from the Lemon Squeezy delivery. The license dialog closes and the credentials dialog should appear (or skip directly to the main window if the credentials were already configured by a sibling tool).
- 3
3. Verify the credentials dialog auto-population
For SCCM-touching tools on an SCCM-managed workstation, the SCCM Server and Site Code fields should already be pre-filled by auto-detection. If they are empty, click the "Auto-detect" button — the diagnostic log shows which detection method was tried and where it failed. Manual entry is always available as a fallback.
- 4
4. Complete the credentials and validate
Fill in any missing fields, click Save. The tool validates the credentials by acquiring a Graph token (if Graph is configured) and by probing the SCCM SMS Provider (if SCCM is configured). On success, the dialog closes, the main window header shows the tenant name and SCCM site server, and the status bar reads "Ready".
- 5
5. Run a low-risk operation
Before relying on the tool for production work, run one read-only operation to confirm end-to-end connectivity. For example, in DDE, open Preview Mode for a known-test device. In SIM, load the SCCM application list in the SCCM Source Browser tab. In ODM, list devices without selecting any for deletion. A successful read confirms credentials are correct and permissions are sufficient.
Updating to a new version
TontonTools does not include an auto-update mechanism. Updates are delivered as new .exe files via the Lemon Squeezy customer portal (your post-purchase email includes a permanent link). When a new version is released, the procedure is the same as the initial install — replace the existing .exe with the new one, no uninstall step required.
- 1
1. Download the new version
From the Lemon Squeezy customer portal link in your post-purchase email, download the latest .exe. Subscription-based products grant unlimited updates during the active subscription window. The one-shot SIM Migrator license grants minor updates (patch + minor versions) for life; major version upgrades may require a re-purchase.
- 2
2. Close the running tool (if any)
If the tool is currently running, close it. The .exe cannot be replaced while it is loaded into memory. Windows will return "File in use" if you try.
- 3
3. Replace the .exe
Overwrite the existing .exe with the new one in whatever location you originally installed it (manual install: typically the operator's tools folder; SCCM: through the standard SCCM application update workflow; Intune: through the standard Intune app update workflow).
- 4
4. Launch and verify
Double-click the new .exe. The license state and credentials persist in %AppData%\TontonTools\ — you should land directly on the main window without any re-prompt. Check the version number in the title bar or the "About" dialog to confirm the new version is running.
Uninstallation
Uninstalling a TontonTools product is symmetric with installing: delete the .exe. Because nothing was registered in Windows Add/Remove Programs, no entry exists to be removed there. Because nothing runs as a Windows service or scheduled task, nothing needs to be stopped first.
- 1
1. Delete the .exe
Remove the .exe from wherever it was installed. For manual installs, the operator typically deletes it from their tools folder. For SCCM / Intune managed installs, use the standard uninstall workflow of the deployment platform.
- 2
2. (Optional) Clear shared state
If you are uninstalling the LAST TontonTools product on this workstation for this user (no other tool from the suite remains), you can optionally delete the shared state folder %AppData%\TontonTools\ to remove credentials, the SCCM cache, the license state, and any history files (notably SIM's history.json). Skipping this step is safe — the folder is harmless and small. Deleting it ensures absolutely no remnant remains.
- 3
3. (Optional) Clear working directories
Some tools use C:\TEMP\ for working files (notably SIM, which stages .intunewin packages there during migrations). These directories are normally cleaned up after each operation, but if you want to verify, inspect C:\TEMP\ and delete any TontonTools-related subfolders. Log files at C:\TEMP\<ToolName>.log can also be deleted at this stage.
For the full licensing model — trial mechanics, machine and tenant binding, moving a license between workstations, refunds — see the Licensing reference. For the SCCM permissions required by SCCM-touching tools, see the SCCM permissions reference. For the Active Directory permissions required by DDE, GPDEU, and GPUED, see the Active Directory permissions reference. For the Microsoft Graph permissions required by every cloud-touching tool, see the Microsoft Graph permissions reference. For the overall security and data-handling model, see Security & Data Handling.