tontontools.
Enterprise

Atomic 4-system delete. With Rollback Snapshot Engine.

Remove a device from Active Directory, SCCM, Microsoft Intune and Entra ID in a single audited operation. Every deletion generates a recoverable snapshot. Single device or bulk from CSV.

Start free trialSee pricing

Included in the Enterprise tier · 14-day trial, no card

Delete Device Everywhere

The problem

When you decommission a workstation, you need to remove it from four systems: AD, SCCM, Intune and Entra ID. Forget one and the consequences are real.

  • Forget Intunethe device keeps reporting compliance status. Forever.
  • Forget Entrathe device still consumes an M365 license.
  • Forget SCCMthe policy keeps pushing to a phantom record.
  • Forget ADthe computer object lingers, eventually flagged as stale.

Doing all four manually takes 5-10 minutes per device — and you'll forget one. Eventually.

The TontonTools way

Delete Device Everywhere closes the loop in a single audited operation.

  • Single-device modeenter a device name, click Delete. Atomic removal from AD, SCCM, Intune and Entra ID with a single confirmation.
  • Bulk modeimport a CSV of devices, get a per-device action plan, click Run. Skip-on-failure logic keeps the batch moving.
  • Dry-Run modesee exactly what will be deleted before committing — for high-stakes operations and four-eyes review.
  • Rollback Snapshot Enginebefore every deletion, the tool captures the device's complete state as a JSON snapshot plus a PowerShell reconstruction script.

Key features

Built for high-stakes operations where forgetting a system is not an option.

  • Atomic 4-system delete

    AD, SCCM, Intune and Entra ID in a single confirmed operation. Per-system toggle if you only need to act on a subset.

  • Rollback Snapshot Engine

    JSON snapshot + PS1 reconstruction script written to C:\TEMP\DWE_Rollback\ before every commit. Timestamped folders, never overwritten.

  • Dry-Run preview

    Run the full deletion plan without committing. Color-coded action grid you can copy as a report or send for four-eyes approval.

  • Bulk CSV input

    Import hundreds of devices at once. Per-device status grid, skip-on-failure, full audit trail. 500 devices in 5 minutes.

  • CMTrace audit logs

    Every action timestamped and attributed in C:\TEMP. Open directly in CMTrace.exe for forensic review or compliance audits.

  • Credential isolation

    Microsoft Graph credentials accepted as Client Secret or Certificate (JWT Client Assertion). Stored DPAPI-encrypted, never transmitted off the workstation.

See it in action

Real screens. No marketing renders.

  • Preview first — a read-only scan shows where the device exists across AD, SCCM, Intune and Entra ID.
  • Bulk from a file, with an explicit confirmation before anything is permanently deleted from the four systems.
  • One run removes the device from AD, SCCM, Intune and Entra ID — per-system success, then export the log.
  • Safety net: every deletion writes a JSON snapshot and a PowerShell rebuild script to C:\TEMP\DWE_Rollback.

Technical details

What runs where. What it writes to disk. What permissions it needs.

Authentication

Microsoft Graph — Client Secret or Certificate (JWT Client Assertion)

Systems

Active Directory (on-prem)

Microsoft Configuration Manager (SCCM / MECM)

Microsoft Intune

Microsoft Entra ID

Audit log

CMTrace-compatible — C:\TEMP\DWE_*.log

Rollback snapshots

C:\TEMP\DWE_Rollback\<timestamp>\ — JSON state + PowerShell reconstruction script

Min permissions

Microsoft Graph permissions reference

SCCM permissions reference

Active Directory permissions reference

Who it's for

L3 Architects, Security Teams, and IT Ops leaders running active decommissioning programs. Companies with regular fleet refreshes, frequent offboarding waves, or security incident response duties. This is the flagship tool of the suite — built for organizations where data integrity and audit trail are non-negotiable.

Related products

Other tools in the suite that pair well with this one.

Decommission without fear. Delete with audit.

Try Delete Device Everywhere — exclusive to the Enterprise tier.

Start free trialSee pricing