tontontools.

Release Notes

Delete Device Everywhere — Changelog

Version history for Delete Device Everywhere. Entries follow the Keep a Changelog convention with four groups: Added, Changed, Fixed, Security.

v1.0.0

Released January 2026released

Initial public release of Delete Device Everywhere. The product is sold in the Enterprise tier of the TontonTools suite. A 14-day free trial is available without a credit card.

Added

  • Four-system atomic deletion: remove a device from Active Directory, SCCM/MECM, Microsoft Intune and Microsoft Entra ID in a single coordinated workflow.
  • Single-device interactive mode: enter a device name, pick the systems to clean, click Delete after explicit confirmation.
  • Bulk mode with CSV/TXT import: process hundreds of devices sequentially with per-device progress, skip-on-failure behavior, and aggregated success/failure counts.
  • Preview / Dry-Run mode: read-only scan across all four systems reporting FOUND, NOT FOUND, ERROR, or SKIPPED status per device per system. Safe to run repeatedly against production tenants.
  • Microsoft Graph authentication — three production-ready modes: Client Secret (app-only), Certificate / JWT client assertion (app-only, RS256, recommended for production), and Interactive with PKCE (delegated, user-driven sign-in via browser loopback).
  • In-dialog SCCM Auto-detect: cascade resolver that scans the local JSON cache, ConfigMgr console MRU (HKCU), ConfigMgr Connection (HKCU), HKLM SMS Identification (Site Server only), and root\sms WMI namespace (SMS Provider only). Each candidate is validated against SMS_ProviderLocation before being kept. Successful detections are cached for instant resolution on subsequent launches.
  • CMTrace-compatible activity log written to C:\TEMP\DeleteDeviceEverywhere.log with timestamp, executing Windows user, severity, and free-text message per entry. UI activity log mirrors the file log in real time.
  • DPAPI-encrypted credential storage (CurrentUser scope) at %AppData%\TontonTools\credentials.dat — shared across all TontonTools products on the same Windows user profile.
  • Read-only fallback mode: when the license enters its 7-day grace period or moves to a tier that no longer covers the tool, destructive operations (Delete, Preview) are disabled while diagnostic surfaces (Activity Log, Export, Credentials dialog) remain available.
  • License binding to a stable machine identifier — SHA-256 hash of Windows MachineGuid and BIOS UUID. Cross-product license reuse is blocked at activation time by validating store_id, product_id and variant_id against the Lemon Squeezy License API.
  • Rollback Snapshot Engine (Preview): captures a full JSON metadata snapshot of the target device across all four systems and generates an auxiliary PowerShell reconstruction script under C:\TEMP\DWE_Rollback\<DeviceName>_<timestamp>\ before any deletion. See the product documentation for the Preview disclaimer.

Security

  • No agent installed on managed endpoints — the product only communicates with the administrator workstation, AD domain controllers, the SCCM SMS Provider, and Microsoft Graph (graph.microsoft.com).
  • No telemetry, no cloud backend, no third-party analytics. The only outbound connection to TontonTools infrastructure is a license validation request that carries only a machine identifier hash and a license key.
  • TLS 1.2 enforced on every Graph and license API request.
  • PKCE (RFC 7636) used in Interactive auth mode with a loopback redirect URI on a randomly selected free port — no client secret stored in this mode.

Related documentation