Architecture at a glance
TontonTools runs as a standard Windows desktop application (.NET Framework 4.7.2, WPF). All operations are initiated locally by the signed-in IT administrator and execute over the standard, supported Microsoft APIs.
The only outbound connection to TontonTools infrastructure is a periodic license validation call. It carries a machine identifier and a license key — never tenant data, never device inventory, never credentials.
Local-first by design
No server component
Unlike competing right-click tools, TontonTools does not require a central management server, a service account with elevated permissions, or any inbound firewall rules. Each administrator runs the tool on their own workstation.
No agent on endpoints
Managed devices (laptops, servers, kiosks) never see TontonTools. The product talks to your SCCM site server, your domain controllers, and Microsoft Graph — not to the devices being managed.
No telemetry
TontonTools does not collect usage analytics, crash reports, or feature telemetry. Logs stay on the administrator workstation.
No cloud backend
There is no TontonTools cloud database storing your tenant ID, your device names, or your activity. The product cannot leak what it does not have.
How credentials are stored
Most TontonTools products need credentials for at least one of: Microsoft Graph (Entra ID, Intune), SCCM, Active Directory. These credentials are stored on the administrator workstation using Windows Data Protection API (DPAPI) with CurrentUser scope.
Storage location
%AppData%\TontonTools\credentials.datWhat this means in practice
- The file is encrypted by the Windows user account that created it. Another user on the same machine — even a local administrator — cannot decrypt it without that user's credentials.
- Copying the file to another machine renders it unreadable. The encryption key is bound to the user's Windows profile.
- TontonTools never logs, displays, or transmits the decrypted secret values. The credentials dialog masks them.
What is stored
| Field | Required when | Notes |
|---|---|---|
| Tenant ID | Graph features used | Public GUID |
| Client ID | Graph features used | Public GUID (App Registration) |
| Client Secret | Graph + ClientSecret auth mode | DPAPI-encrypted |
| Certificate Thumbprint | Graph + Certificate auth mode | Cert itself lives in Cert:\CurrentUser\My |
| SCCM Site Server | SCCM features used | FQDN of your SMS Provider |
| SCCM Site Code | SCCM features used | 3-character code |
| AD LDAP Root | AD features used | e.g. LDAP://DC=corp,DC=contoso,DC=com |
Microsoft Graph: how authentication works
TontonTools uses the standard Microsoft identity platform. Three authentication modes are supported, and the choice is yours:
1. Client Secret (App-only)
The classic application authentication. Suitable for lab environments and small deployments. The secret is stored DPAPI-encrypted locally.
2. Certificate (App-only, JWT client assertion) — Recommended
Stronger than client secrets, no secret to rotate. The private key is held in Cert:\CurrentUser\My and protected by Windows. Only the thumbprint is stored in TontonTools.
3. Interactive (Delegated, with PKCE)
The administrator signs in with their own Microsoft 365 account through a browser. All Graph operations execute under the user's own permissions and are fully auditable in Entra ID sign-in logs. No secret is stored at all.
Every Graph call goes directly to graph.microsoft.com over TLS 1.2+. TontonTools does not proxy, mirror, or cache these calls on third-party infrastructure.
SCCM and Active Directory: how access works
For SCCM, TontonTools connects to your SMS Provider using WMI (root\SMS\site_<sitecode>) under the signed-in administrator's Windows identity. The administrator's existing SCCM RBAC role determines what they can see and do — TontonTools never elevates privileges.
For Active Directory, TontonTools uses two access patterns: direct LDAP queries via System.DirectoryServices (used by Delete Device Everywhere) or indirect LDAP via the RSAT ActiveDirectory PowerShell module through Get-ADUser (used by GPDEU and GPUED). Both patterns authenticate under the signed-in administrator's Windows identity. The same Kerberos / NTLM authentication that Active Directory expects from any domain-joined application applies. For more detail on which tool uses which pattern and the exact permissions required, see the Active Directory permissions reference.
There is no service account, no impersonation, no stored AD password.
Logs and sensitive data handling
Every TontonTools product writes a CMTrace-compatible log to a local path, typically:
C:\TEMP\<ProductName>.logWhat logs do NOT include
- Decrypted client secrets or certificate private keys
- Passwords of any kind
- Full LDAP query results (only counts and the target object DN)
What logs DO include
- The Windows user who ran the action (DOMAIN\Username)
- The target object names (device name, user UPN)
- The systems touched and the outcome of each operation
- HTTP status codes from Graph API responses
- Timestamps with millisecond precision
For destructive operations (notably Delete Device Everywhere), a separate rollback snapshot is written before any deletion. This snapshot captures the full metadata of the target object across all four systems and an automatically generated PowerShell reconstruction script.
What never leaves your environment
The following data is never transmitted to TontonTools or any third party:
- Tenant ID, Client ID, Client Secret, Certificate private key
- SCCM site server names or site codes
- Active Directory domain names, OU structure, or DN values
- Device names, user UPNs, group memberships
- Any CSV/TXT files you import
- Log files
- Rollback snapshots
What the application transmits to TontonTools
For license validation only, the product sends:
- The license key (entered by you during activation)
- A machine identifier — a SHA-256 hash of the Windows MachineGuid and BIOS UUID
- The product code and version number
This call happens at activation, then at most once every 7 days during normal use, against the Lemon Squeezy License API. No tenant data, no device data, no user data is ever attached to this request.
Offline operation
TontonTools is designed to keep working when the workstation is offline or behind a strict proxy. A successful license validation is cached locally for 7 days, with an additional 7-day grace period before the product moves to read-only mode. In practice, the product will run normally for up to 14 days without internet connectivity to the license server. SCCM, AD and Graph operations continue to work as long as the local network can reach those systems.
Compliance and auditability
Because TontonTools acts under the administrator's own Microsoft 365 and Windows identity:
- Entra ID audit logs capture every Graph operation (directory changes such as device deletion), attributed to the App Registration you control.
- Entra ID sign-in logs capture every authentication.
- SCCM SMSProv.log on your site server records every SCCM operation, subject to your existing SCCM RBAC audit trail.
- Domain controller Security event log records every AD operation (event 4662 for object access, 4742 for computer object deletion, etc.).
TontonTools does not bypass, mask, or anonymize any of this. The IT administrator using the tool is the principal actor of every operation, exactly as if they had used the native Microsoft consoles.
Vendor and supply chain
TontonTools is published by TontonPro SASU, a French company registered in Versailles (SIREN 994 272 045). The product is sold internationally through Lemon Squeezy, acting as Merchant of Record (handling VAT, sales tax, and billing). The Lemon Squeezy relationship covers only the commercial transaction — Lemon Squeezy has no access to your tenant data or to your use of the product.
Installers are code-signed and delivered through the Lemon Squeezy customer portal. Each release is accompanied by a SHA-256 checksum published in the release notes.
Reporting a security concern
If you believe you have found a security issue in any TontonTools product, please contact security@tontontools.com. We aim to acknowledge security reports within two business days.