tontontools.

Release Notes

SCCM to Intune App Migrator — Changelog

Version history for SCCM to Intune App Migrator. Entries follow the Keep a Changelog convention with four groups: Added, Changed, Fixed, Security.

v1.2.0

Released May 2026released

Major feature release. Adds native multi-tenant workspaces with isolation guarantees, four external catalog sources (WinGet community, Chocolatey, Intune Enterprise App Catalog preview, UNC custom), an Update Manager for in-place patches and supersedence, and a self-contained HTML audit report covering inventory, available updates, and EOL risk. The Win32 LOB pipeline is fully validated against Microsoft Graph api-version=2025-07-02 with the new rules + msiInformation schema. Existing v1.0.0 carts and history files migrate transparently — no reconfiguration required.

Added

  • Native multi-tenant workspaces — a new Tenants tab and a tenant dropdown in the title bar let MSPs and consultants manage multiple Intune environments from a single desktop. Each additional tenant has its own isolated storage under %AppData%\TontonTools\AppMigrator\tenants\<id>\ with its own migration cart, history log, and Intune inventory cache. The Default tenant remains shared with the rest of the TontonTools suite; additional tenants never touch shared credentials.
  • Tenant drift detection — during a bulk migration, audit report generation, or catalog scan, every long operation snapshots its TenantContext (token, tenant ID, SCCM coordinates) and validates against the live ActiveTenant at each iteration. If the user switches mid-operation, the orchestrator aborts cleanly, surfaces a MessageBox ("Tenant switched during migration. Jobs already migrated stayed on the original tenant. X remaining job(s) are still Pending."), logs the drift as a red 🚨 entry in the UI panel ("🚨 TENANT SWITCHED DURING MIGRATION — Batch aborted."), and protects in-flight jobs on their original tenant. Already-migrated jobs remain ✅ Done with their IntuneAppId; pending jobs remain ⏳ Pending on the source tenant.
  • Post-drift state persistence — job state (Done / Failed / Pending) is now persisted atomically per job to the per-tenant cart.json via UpsertJobForTenant, with write-through on every transition under a shared file lock. On reswitch back to the original tenant, completed jobs reappear ✅ Done with their exact IntuneAppId; a re-click on Start migration skips them via the `if (job.IsCompleted) continue;` guard, producing zero duplicate apps in Intune. Validated forensically by a triple test on 15 web-link jobs with mid-batch tenant switch.
  • Auto-detect tenant domain via Graph — when adding an additional tenant, SIM can resolve the primary domain via Graph /v1.0/organization at first switch, persist it to tenants.json, and display it in the Tenants grid with a 🤖 badge. Best-effort and silent on failure.
  • Auto-detect SCCM site coordinates — in the new premium Add/Edit Tenant dialog (3 cards: Identity / Graph / SCCM, with a pill toggle between Client Secret / Certificate / Interactive auth modes), an Auto-detect button reuses the shared SccmDetector (registry ConfigMgr10 then WMI scan) to fill SCCM Server and Site Code without manual entry.
  • WinGet community catalog source — import from the official Microsoft WinGet source index (138 635 packages). The 33 MB SQLite source is downloaded from cdn.winget.microsoft.com, extracted locally, and queried in 5–30 ms with multi-mode search (exact ID fast path, multi-word tokenization, fuzzy substring). Includes a GitHub fallback for missing metadata and an intelligent per-installer-type uninstall command synthesis (msi, wix, msix, inno, nullsoft, burn, generic-exe). Validated in production with Notepad++ 8.9.5 NSIS migrated end-to-end.
  • Chocolatey community catalog source — search the Chocolatey community feed via the /api/v2/Search() OData endpoint, then import packages with an auto-generated 3-script PowerShell wrapper: install.ps1 bootstraps choco.exe if absent before invoking choco install <id> --version=<v> -y; uninstall.ps1 and detect.ps1 complete the trio. The whole bundle ships as a standard Win32 LOB app, deployable on any Intune-managed device without a pre-installed Chocolatey.
  • Intune Enterprise App Catalog source (search-only in v1.2.0) — search the Microsoft Intune EAC via Graph /beta/deviceAppManagement/mobileAppCatalogPackages. Results display alongside other catalogs in the Manual Create import expander. Direct EAC import is planned for v1.2.1 — the Microsoft mobileApps / win32CatalogApp endpoint is still in preview and currently throws NotSupportedException; until then, use the Intune portal for direct EAC enrolment.
  • UNC custom catalog source — point SIM at an internal network share with a manifest.json per app and gain a zero-copy private catalog for in-house line-of-business installers. The installer never leaves the share during selection; the migration cart references the UNC path directly until packaging time.
  • Update Manager — a new tab that scans the Intune inventory, cross-references it against the configured catalog sources (SCCM, WinGet, EAC, UNC, Chocolatey), and surfaces outdated apps as update candidates. Two strategies per candidate: Replace content (POST a new contentVersion on the existing app, keeping AppId, assignments, supersedence, and dependencies intact) or Supersede with new app (create a fresh app and declare a supersedence relationship to the predecessor). Replace fits patch releases; Supersede fits major versions with a different MSI ProductCode.
  • EOL detection — each Intune app is matched against the public endoflife.date registry (450+ products, weekly-refreshed local cache). Four risk levels with colour-coded badges: 🟢 Supported, 🟡 Approaching EOL (within 6 months), 🔴 EOL passed, ⚪ Unknown. Surfaced in the Update Manager grid and in the audit report.
  • HTML audit report — a single self-contained, print-ready HTML report (A4-formatted, brandable) covering: cover page with tenant name, executive summary cards, full Intune inventory with EOL badges, available updates by catalog source, EOL risk analysis (past + approaching), AppMigrator coverage progress bar, last 20 migrations. Generated in 10–30 seconds against a typical tenant, saved to Documents, with a one-click open-in-browser then Ctrl+P for PDF handoff. Drift-aware: switching tenants mid-generation aborts the report cleanly without writing a stale file.

Changed

  • Win32 LOB pipeline upgraded to Microsoft Graph api-version=2025-07-02 — Win32 LOB payloads are now constructed against the new rules + msiInformation schema that Microsoft introduced in mid-2025, replacing the legacy detectionRules + win32LobAppProductCodeDetection shape. Apps created by v1.0.0 (pre-2025-07-02 schema with detectionRules + win32LobAppProductCodeDetection) remain readable by v1.2.0 for inventory scans and drift detection — backward-compatible by design. Validated end-to-end on 7-Zip MSI and Notepad++ NSIS in production tenants.
  • Migration Cart UX — the cart gains Remove Selected (multi-row), Retry on Failed (re-queues a failed job without rebuilding it), and anti-duplicate protection across tabs (a job already in the cart cannot be re-added from SCCM Browser, Share Browser, or any catalog). Per-row context menus and keyboard shortcuts streamline the workflow at 50+ apps per cart.
  • History store isolation per tenant — history.json now lives under each additional tenant folder (tenants\<id>\history.json) and the Migration Report tab automatically rebinds when the active tenant changes. Pre-v1.2 history files remain at the legacy path and serve the Default tenant transparently.
  • CMTrace activity log retained, with multi-tenant context — the C:\TEMP\AppMigrator.log (CMTrace-compatible) format is unchanged, but every entry now includes the active tenant display name when relevant, making cross-tenant operations auditable from a single log file.

Fixed

  • WinGet version sorting — the WinGet GitHub fallback previously sorted package version folders alphabetically, which surfaced locale dirs like zh-TW and es-ES ahead of numeric versions for packages such as Mozilla.Firefox. The candidate-version filter now requires the first character to be a digit, restoring correct chronological ordering.
  • Chocolatey OData search — migrated the Chocolatey search call from the deprecated substringof() OData function to the supported /api/v2/Search()?searchTerm=&targetFramework=&includePrerelease= entry-set. Search results now return reliably.
  • WinGet manifest.rowid not chronological — discovered during cataloging that rowid reflects insertion order in the WinGet source index, not version chronology. The community sometimes re-publishes older versions (for example 7zip.7zip rowid 141247 = v19.00 vs rowid 135168 = v26.01). The catalog provider no longer relies on MAX(rowid) for de-duplication.

Security

  • Per-tenant credential isolation — additional tenants store their Graph and SCCM credentials in TenantCredentialsStore under each tenant isolated folder, encrypted via DPAPI with the same CurrentUser scope as the shared store. The Default tenant credentials remain at the suite-wide path (%AppData%\TontonTools\credentials.dat) and are never copied into per-tenant stores — preventing accidental credential bleed across tenants.

v1.0.0

Released January 2026released

Initial public release of SCCM to Intune App Migrator (SIM). The product is sold as a one-shot perpetual license at three tiers — Small (up to 50 apps per migration), Medium (up to 200 apps per migration), and Large (unlimited). A 14-day free trial is available without a credit card.

Added

  • Three Intune target types in a single tool: Win32 LOB (full installers — MSI, EXE wrappers, PowerShell-driven setups), Web Link (URL shortcut apps), and Microsoft Store via winget (hundreds of common applications already published by Microsoft). Per-app selection in the migration cart — a single bulk migration can mix all three.
  • Two source types: SCCM Applications (via WMI enumeration of SMS_Application with lazy SDMPackageXML parsing for deployment types) and Network Share scanning (recursive folder scan with priority-based installer detection — MSI first, then named installers setup.exe/install.exe/installer.exe, then generic .exe).
  • MSI metadata auto-detection via Windows Installer COM late binding: when an .msi is found during share scanning, ProductCode, ProductName, ProductVersion, Manufacturer, Language, and Template architecture are read directly from the MSI database. Migration cart entries are pre-populated with no manual data entry required.
  • Full 9-step Win32 LOB pipeline per Microsoft specification: Stage → Package via official IntuneWinAppUtil.exe → AES-256-CBC encrypt with HMAC-SHA256 integrity (ProfileVersion1 format) → Create app shell → Create content version → Poll for Azure Storage SAS URI → Upload encrypted chunks (6 MB blocks) → Renew SAS + Commit with encryption info → Patch committedContentVersion.
  • Five-tab UI: SCCM Source Browser (discover applications in the SCCM catalog), Share Browser (scan UNC paths for installers), Manual Create (single-app creation for Web Link or winget targets), Migration Cart (review jobs and configure per-row Entra group assignment), Migration Report (JSON-backed audit trail with CSV export).
  • Per-row Entra group assignment in the migration cart: load all security-enabled groups from the tenant via Graph, pick the target group via an inline ComboBox, choose intent (Available, Required, Uninstall). Assignment is optional — unassigned apps are created in Intune ready for manual assignment in the portal.
  • Idempotent cleanup on failure: if any step of the Win32 LOB pipeline fails after the app shell is created, SIM best-effort DELETEs the partial app shell from Intune. No orphan app records left in the tenant.
  • Sequential bulk execution by design — jobs run one at a time to avoid Graph and Azure Blob rate limits. UI remains responsive with per-row progress bars updating in real time.
  • Persistent JSON audit trail at %AppData%\TontonTools\AppMigrator\history.json: every job (success or failure) is recorded with start time, completion time, duration, Intune App ID, portal URL, assignment summary, and error message if any.
  • CSV export of the full migration history for compliance, project tracking, or Excel review.
  • Double-click navigation from the Migration Report grid to the corresponding Intune portal page for the migrated app.
  • Three-tier license model with permanent banner: Trial (copper, Small-equivalent for 14 days), Small (sober green, up to 50 apps per migration), Medium (sober green, up to 200), Large (premium violet, unlimited). Tier limits are enforced at cart-execution time with a clear upgrade message if exceeded.
  • IntuneWinAppUtil.exe bundled as an embedded resource — no separate Microsoft download required. Optional override path mechanism in App.config for environments that want to pin a specific Microsoft release.
  • Microsoft Graph authentication via the unified TontonTools credentials dialog: Client Secret, Certificate (JWT client assertion), or Interactive with PKCE.
  • CMTrace-compatible activity log written to C:\TEMP\AppMigrator.log with full per-call timing.
  • DPAPI-encrypted credential storage shared across the suite at %AppData%\TontonTools\credentials.dat.

Security

  • No agent installed on managed endpoints — the product only communicates with Microsoft Graph (graph.microsoft.com), Azure Blob Storage (*.blob.core.windows.net), and the SCCM site server (RPC) when sourcing from SCCM.
  • No telemetry, no cloud backend, no third-party analytics.
  • TLS 1.2 enforced on every Graph, Azure Blob, and license API request.
  • PKCE used in Interactive auth mode with a loopback redirect URI on a randomly selected free port.
  • AES-256-CBC encryption with HMAC-SHA256 integrity (ProfileVersion1 format) applied to every Win32 LOB upload — strict conformance with Microsoft's Intune requirements. Keys and IV are randomly generated per file via RNGCryptoServiceProvider, base64-encoded, and sent in the commit payload alongside the SHA-256 digest of the plaintext.
  • The license model is one-shot perpetual — there is no read-only fallback mode because the license never expires. Trial expiry without a paid activation simply blocks startup with a clear upgrade message.

Related documentation