tontontools.

Release Notes

Orphan Device Cleaner — Changelog

Version history for Orphan Device Cleaner. Entries follow the Keep a Changelog convention with four groups: Added, Changed, Fixed, Security.

v1.0.0

Released January 2026released

Initial public release of Orphan Device Cleaner. The product is sold in the Pro tier of the TontonTools suite. A 14-day free trial is available without a credit card.

Added

  • Identity-centric device cleanup across Microsoft Entra ID and Microsoft Intune. Finds devices whose user relationship is broken: no user assigned, the assigned user is disabled, the assigned user no longer exists, or the device is in a shared / kiosk configuration.
  • Four orphan categories with distinct colour codes in the result grid and the details dialog: NO_USER (no owner UPN, red), DISABLED_USER (owner exists but accountEnabled is false, orange), DELETED_USER (owner UPN absent from the active directory, dark gray), SHARED (heuristic combination of profile name and join type, yellow).
  • 4-step detection workflow: (1) load all devices from Entra ID and Intune, (2) load the active user directory once, (3) best-effort enrichment via /directory/deletedItems for the deleted-vs-not-found distinction, (4) resolve each device owner UPN and classify into one of the four categories.
  • Parallel owner resolution with backpressure: SemaphoreSlim(15) caps concurrent Graph calls, automatic 429 retry-after handling, typical 2000-device tenant resolved in ~15 seconds.
  • Stats bar with per-category live counters and row-level colour coding tied to the category.
  • Optional re-run of the owner resolution phase via a dedicated Resolve Owners button — useful after Entra Connect synchronizes a new wave of users.
  • Bulk safe-delete with explicit irreversible confirmation. Skip-on-failure behavior with aggregated counts per category.
  • Device details dialog with a coloured banner reflecting the orphan category, owner UPN and display name, owner account status (Enabled / Disabled / Not found in directory), and full identity / device / dates / all-properties tabs.
  • CSV export of the filtered result grid.
  • Microsoft Graph authentication via the unified TontonTools credentials dialog: Client Secret, Certificate (JWT client assertion), or Interactive with PKCE.
  • CMTrace-compatible activity log written to C:\TEMP\OrphanDeviceCleaner.log.
  • DPAPI-encrypted credential storage shared across the suite at %AppData%\TontonTools\credentials.dat.
  • Read-only fallback mode in license grace period.

Security

  • No agent installed on managed endpoints — the product only communicates with Microsoft Graph (graph.microsoft.com).
  • No telemetry, no cloud backend, no third-party analytics.
  • TLS 1.2 enforced on every Graph and license API request.
  • PKCE used in Interactive auth mode with a loopback redirect URI on a randomly selected free port.
  • The /directory/deletedItems enrichment is best-effort: if the operator does not have the required permissions for that endpoint, the tool degrades gracefully — devices still get flagged as orphan in the right category, but the deleted-vs-not-found distinction collapses to a single "owner absent from active directory" state.

Related documentation