The tool went through a series of serious warnings for me to permit it to do non-standard things. And it's no-longer running now. Also, there was a six-digit PIN that I had to enter somewhere to connect the tool back to Microsoft, and "Jake" who I was texting with seemed pretty knowledgeable.

From a security perspective, the tool was a separate thing I had to download and install. It's not on-by-default, so it's not part of the attack surface of the machine.