tontontools.
Standalone

Migrate, modernize and maintain your application catalog in Intune — from a single desktop.

A migration platform and a post-migration lifecycle tool in one. Six application sources (SCCM, Network Share, WinGet, Chocolatey, Intune EAC preview, UNC custom), native multi-tenant workspaces for MSPs and consultants, in-place Update Manager, and a self-contained HTML audit report. From 600 hours of manual repackaging to a weekend. €3,500 to €8,000 one-time, depending on your catalog size.

Start free trialSee pricing

Included in a one-time license

SCCM to Intune App Migrator

The problem

Migrating an SCCM application catalog to Microsoft Intune Win32 is one of the most painful, time-consuming and expensive chapters of any cloud transformation project — and once the migration is done, keeping the catalog patched, audit-ready, and aware of end-of-life software across multiple tenants is its own long-term workload.

  • 1.5–2.5 hours per appexpert work for repackaging, detection rules, requirements, command lines and dependencies.
  • 300 applications = 600 hours€30,000 to €50,000 of external consulting at typical day rates.
  • 6–12 months of elapsed project timewith team morale collapsing somewhere around month 4. And once it is done, every patch cycle, every EOL announcement, every audit reopens the file.

SCCM to Intune App Migrator (SIM) does the 80/20 on the migration, then keeps the catalog healthy after with an Update Manager and an HTML audit report. Across as many tenants as you need to manage from the same desktop.

The TontonTools way

SIM scans your application sources (SCCM, network shares, and four external catalogs — WinGet, Chocolatey, Intune EAC, UNC custom), generates Intune Win32 packages or single-POST Web Link / winget apps, and after migration keeps the catalog patched and audited through the Update Manager and the HTML audit report. Multi-tenant by design — switch between customer tenants from a dropdown in the title bar without restarting the tool.

  • Six application sourcesSCCM Applications via WMI, Network Share scanning with MSI metadata auto-detection, WinGet community catalog (138 635 packages indexed locally), Chocolatey community feed, Intune Enterprise App Catalog (search-only in v1.2.0), and UNC custom catalog for in-house line-of-business installers.
  • Native multi-tenant workspacesAdd as many tenants as needed; each gets its own DPAPI-encrypted credentials, migration cart, history log, and Intune inventory cache. Drift detection aborts mid-batch if you accidentally switch tenants — completed jobs stay on their original tenant, pending jobs stay safe.
  • Update Manager — Replace or SupersedeAfter migration, scan the Intune inventory against your catalog sources and patch outdated apps in place (Replace content, keeping AppId, assignments and supersedence intact) or with a new app (Supersede with new app, declaring a supersedence relationship to the predecessor).
  • HTML audit report with EOL detectionOne-click generation of a self-contained, print-ready HTML report — inventory with EOL badges (450+ products tracked via endoflife.date), available updates by source, coverage progress, last 20 migrations — all scoped to the active tenant.

Key features

Built for high-stakes operations where forgetting a system is not an option.

  • Native multi-tenant workspaces

    A tenant dropdown in the title bar lets MSPs and consultants manage multiple Intune environments from one desktop. Per-tenant isolated storage under %AppData%\TontonTools\AppMigrator\tenants\<id>\. The Default tenant remains shared with the rest of the TontonTools suite; additional tenants never touch shared credentials.

  • Six application sources

    SCCM Applications (WMI + lazy SDMPackageXML parsing), Network Share scanning, WinGet community (138 635-package SQLite local index, 5–30 ms queries), Chocolatey community feed via OData, Intune Enterprise App Catalog (search-only preview), and UNC custom manifest catalog.

  • Automatic .intunewin generation

    Microsoft IntuneWinAppUtil.exe is invoked under the hood, content is packaged, AES-256-CBC encrypted with HMAC-SHA256 integrity per ProfileVersion1, chunk-uploaded to Azure Blob via SAS URI in 6 MB blocks, and committed against Microsoft Graph api-version=2025-07-02. No manual content prep step.

  • Update Manager

    Two strategies per outdated app: Replace content (POST a new contentVersion on the existing app — AppId, assignments, supersedence and dependencies stay intact) or Supersede with new app (create a fresh app and declare a supersedence relationship to the predecessor). Replace fits patch releases; Supersede fits major versions with a new ProductCode.

  • HTML audit report

    A single self-contained, print-ready HTML report (A4-formatted, brandable): cover with tenant name, executive summary, full Intune inventory with EOL badges (🟢 🟡 🔴 ⚪ via endoflife.date), available updates by catalog source, coverage progress bar, last 20 migrations. Saved to Documents, Ctrl+P for PDF.

  • Tenant drift detection

    Every long operation snapshots its TenantContext (token, tenant ID, SCCM coordinates) and validates against the live ActiveTenant at each iteration. If you switch tenants mid-batch, the orchestrator aborts cleanly, names both tenants in a MessageBox, logs the drift as a red 🚨 entry, and protects in-flight jobs on their original tenant. Already-migrated jobs remain ✅ Done with their IntuneAppId; pending jobs remain ⏳ Pending.

  • Migration Cart with per-row group assignment

    Bulk migrations are reviewed in one cart. Per-row Entra security group + intent (Available / Required / Uninstall), Remove Selected (multi-row), Retry on Failed (re-queues without rebuilding), and anti-duplicate protection across all source tabs.

  • JSON + CSV audit trail

    Every migration job — success or failure — is persisted to history.json per tenant with start time, completion time, duration, Intune App ID, portal URL, assignment summary, and error message. CSV export is compliance-ready. CMTrace-compatible activity log under C:\TEMP\AppMigrator.log with multi-tenant context per entry.

See it in action

Real screens. No marketing renders.

  • Tenants tab: manage every client tenant from one desktop — each with isolated credentials, cart and history, one click to switch.
  • SCCM Source Browser: load your live ConfigMgr catalog and see at a glance what is already in Intune, ready, or not imported.
  • Share Browser: scan a UNC share to any depth — MSI and EXE installers auto-detected with publisher, version and architecture.
  • Migration Cart: SCCM, share and manual sources converge here — set the Entra group and intent per app, then start the batch.
  • Update Manager: scan SCCM, WinGet, Chocolatey, Intune EAC or a UNC share for outdated apps, then Replace or Supersede.
  • HTML audit report: a self-contained, print-ready report generated per tenant — open it in any browser, save to PDF.

Technical details

What runs where. What it writes to disk. What permissions it needs.

License model

One-time perpetual license, three tiers — Small €3,500 (up to 50 apps per migration) · Medium €5,500 (up to 200) · Large €8,000 (unlimited)

Authentication

SCCM — current user credentials (Kerberos) or auto-detected Site Server + Site Code

Microsoft Graph — Client Secret, Certificate (JWT Client Assertion), or Interactive with PKCE

Per-tenant DPAPI-encrypted credentials (CurrentUser scope) — never copied across tenants

Systems

Microsoft Configuration Manager (SCCM / MECM) — source

Network shares (UNC) — source

WinGet community + GitHub fallback — source

Chocolatey community feed (OData) — source

Intune Enterprise App Catalog (preview) — search-only

UNC custom manifest catalog — source

Microsoft Intune — target (Win32 LOB + Web Link + winget app types)

Microsoft Win32 Content Prep (IntuneWinAppUtil.exe, embedded) — packaging format

Microsoft Graph

api-version=2025-07-02 with the new rules + msiInformation schema. Apps created on the legacy detectionRules + win32LobAppProductCodeDetection schema (pre-2025-07-02) remain readable by SIM v1.2 for inventory scans and drift detection.

Multi-tenant

Tenants tab + tenant dropdown in the title bar — switch without restart

Per-tenant isolated storage under %AppData%\TontonTools\AppMigrator\tenants\<id>\

TenantContext snapshot + drift detection — mid-batch tenant switch aborts cleanly with in-flight job protection

Output format

.intunewin packages + Win32 LOB metadata (rules, msiInformation, returnCodes, installExperience)

Web Link apps (#microsoft.graph.webApp) — single POST

winget apps (#microsoft.graph.winGetApp) — single POST

Chocolatey wrappers — auto-generated install.ps1 + uninstall.ps1 + detect.ps1 trio

Audit log

CMTrace-compatible C:\TEMP\AppMigrator.log with active tenant context per entry

JSON audit trail at %AppData%\TontonTools\AppMigrator\tenants\<id>\history.json (Default tenant at the legacy shared path)

CSV export — semicolon-delimited, Excel-ready

HTML audit report — self-contained, print-ready, per-tenant

Min permissions

Microsoft Graph permissions reference

SCCM permissions reference

Who it's for

Cloud transformation leads, Modern Workplace architects, IT directors managing a finite migration project, and MSPs/consultants who steward multiple customer tenants. Particularly painful for companies with 200+ applications — at 500 applications you save 6-9 months of project time and €30,000–€50,000 of consulting. For MSPs, the multi-tenant architecture removes the per-customer reinstallation overhead and the credential-mixing risk that comes with single-tenant tools.

Related products

Other tools in the suite that pair well with this one.

Replace €40,000 of consulting with €5,500 of software.

Get the SCCM to Intune App Migrator — pay once, license never expires, one tool covers migration AND post-migration lifecycle, across as many tenants as you manage.

Start free trialSee pricing