A hotfix rollup package (build 4.1.3646.0) is available for Forefront Identity Manager 2010 R2 Service Pack 1

Applies to: Microsoft Forefront Identity Manager 2010 R2 Service Pack 1


A hotfix rollup package (build 4.1.3646.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2 Service Pack 1 (SP1). The build number for Microsoft BHOLD Suite components that are included in this release is 5.0.3079.0. This hotfix rollup package resolves some issues and adds some features that are described in the "More Information" section.

Update information

A supported update is available from Microsoft Support. We recommend that all customers apply this update to their production systems.

Microsoft Support

If this update is available for download from Microsoft Support, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Additionally, you can obtain the update from Microsoft Update or from Microsoft Update Catalog.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Known issues in this update

Synchronization service

After this update is installed, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file (.config) for one of the following processes:
  • MIIServer.exe
  • Mmsscrpt.exe
  • Dllhost.exe
For example, you edited the MIIServer.exe.config file to change the default batch size for processing sync entries for the FIM Service MA.

In this case, the synchronization engine installer for this update intentionally does not replace the configuration file to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by this update will not be present in the files, and the synchronization engine will not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.

To resolve this issue, follow these steps:
  1. Make a backup copy of the MIIServer.exe.config file.
  2. Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
  3. Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following:

    <assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
    <bindingRedirect oldVersion="" newVersion="" />

  4. Save the changes to the file.
  5. Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these two files.
  6. Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
  7. Verify that the rules extensions and custom management agents now work as expected.

FIM Reporting

If you install FIM Reporting on a new server that has Microsoft System Center 2012 Service Manager Service Pack 1 installed, follow these steps:
  1. Install the FIM 2010 R2 SP1 FIMService component. To do this, click to clear the Reporting check box.
  2. Install this hotfix rollup to upgrade the FIM Service to build 4.1.3646.0.
  3. Run the change-mode installation for the FIM Service, and then add Reporting.

If reporting is enabled and the change-mode installation is run for FIM Service and Portal, you must re-enable reporting. To do this in the FIM Identity Management Portal, follow these steps:
  1. On the Administration menu, click All Resources.
  2. Under All Resources, click System Configuration Settings.
  3. Click the System Configuration Settings object, and then open the properties of this object.
  4. Click Extended Attributes, and then select the Reporting Logging Enabled check box.
  5. Click OK, and then click Submit to save the change.


To apply this update, you must have Forefront Identity Manager 2010 R2 (build 4.1.3419.0 or a later build) installed.

Restart requirement

You must restart the computer after you apply the Add-ins and Extensions (Fimaddinsextensions_xnn_kb3054196.msp) package. Additionally, you may have to restart the server components.

Replacement information

This update replaces the following updates:
3048056 A hotfix rollup (build 4.1.3634.0) is available for Forefront Identity Manager 2010 R2 SP1

3011057 A hotfix rollup (build 4.1.3613.0) is available for Forefront Identity Manager 2010 R2 SP1

2980295 A hotfix rollup (build 4.1.3599.0) is available for Forefront Identity Manager 2010 R2

2969673 A hotfix rollup (build 4.1.3559.0) is available for Forefront Identity Manager 2010 R2

2934816 A hotfix rollup package (build 4.1.3510.0) is available for Forefront Identity Manager 2010 R2

File information

Hotfix release build numbers
Forefront Identity Manager 4.1.3646.0
BHOLD 5.0.3079.0
Access Management Connector 5.0.3079.0

File attributes
The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File nameFile versionFile sizeDateTimePlatform
Accessmanagementconnector.msiNot applicable671,74413-Jun-201506:44Not applicable
Bholdanalytics 5.0.3079.0_release.msiNot applicable2,699,26413-Jun-201506:32Not applicable
Bholdattestation 5.0.3079.0_release.msiNot applicable3,280,89613-Jun-201507:20Not applicable
Bholdcore 5.0.3079.0_release.msiNot applicable5,017,60013-Jun-201506:21Not applicable
Bholdfimintegration 5.0.3079.0_release.msiNot applicable3,526,65613-Jun-201506:56Not applicable
Bholdmodelgenerator 5.0.3079.0_release.msiNot applicable3,252,22413-Jun-201507:32Not applicable
Bholdreporting 5.0.3079.0_release.msiNot applicable1,994,75213-Jun-201507:08Not applicable
Fimaddinsextensionslp_x64_kb3054196.mspNot applicable3,917,31209-Jun-201521:12Not applicable
Fimaddinsextensionslp_x86_kb3054196.mspNot applicable1,592,32009-Jun-201521:01Not applicable
Fimaddinsextensions_x64_kb3054196.mspNot applicable5,208,06409-Jun-201521:12Not applicable
Fimaddinsextensions_x86_kb3054196.mspNot applicable4,661,24809-Jun-201521:01Not applicable
Fimcmbulkclient_x86_kb3054196.mspNot applicable9,105,40809-Jun-201521:01Not applicable
Fimcmclient_x64_kb3054196.mspNot applicable5,568,51209-Jun-201521:12Not applicable
Fimcmclient_x86_kb3054196.mspNot applicable5,192,70409-Jun-201521:01Not applicable
Fimcm_x64_kb3054196.mspNot applicable33,543,68009-Jun-201521:12Not applicable
Fimcm_x86_kb3054196.mspNot applicable33,172,48009-Jun-201521:01Not applicable
Fimservicelp_x64_kb3054196.mspNot applicable12,203,00809-Jun-201521:12Not applicable
Fimservice_x64_kb3054196.mspNot applicable31,237,12009-Jun-201521:12Not applicable
Fimsyncservice_x64_kb3054196.mspNot applicable36,241,40809-Jun-201521:12Not applicable

More Information

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Service

Issue 1
When you update the criteria of a group or set, you receive a SQL error if negative conditions exceed 7 in the filter when you click View members. After you apply this update, the View Members button works as expected.

FIM service portals, add-ins and extensions

Issue 1
When you use the FIM Credential Provider Extension for Self-Service Password Reset (SSPR), you cannot answer by using double-byte characters through the Windows Input Method Editor (IME) in the "Question and Answer" gate. After you apply this update double-byte characters are not permitted when you are first creating answers.

Issue 2
On the FIM Password Registration and Password Reset websites, autocomplete was not disabled for the logon forms. After you apply this update, autocomplete is disabled for all logon forms.

Issue 3
After you apply this update, the Object Picker control in the FIM Identity Management Portal returns invalid results if there were special characters in the search string. After you apply this update, the Object Picker control parses the HTML strings correctly so that the Object Picker control returns the correct results.

Certificate management

Issue 1
The revocation settings in a profile template can only be configured for all certificates together and not for each certificate separately. After you apply this update, the administrator can configure the following settings from the Revocation Settings page for each certificate in the policy:
  • RevokeThisCertificate
  • PublishBaseCRL
  • PublishDeltaCRL

Related changes in the FIM CM API

Changes in the FIM CM API were also made to accommodate this change.
  • Properties of Microsoft.Clm.Shared.ProfileTemplates.RevocationOptions that were changed or added.

    PublishBaseCrlThis property is obsolete. Use the PublishBaseCRL property from CertificateTemplateRevocationOptions instead.
    PublishDeltaCrlThis property is obsolete. Use the PublishDeltaCRL property from CertificateTemplateRevocationOptions instead.
    RevokeOldCertificatesThis property is obsolete. Use the RevokeThisCertificate property from CertificateTemplateRevocationOptions instead.
    CertificateTemplateRevocationSettingsCollection with configuration for each certificate template in the profile template

    CertificateTemplateRevocationSettings is ReadOnlyCollection of Microsoft.Clm.Shared.ProfileTemplates.CertificateTemplateRevocationOptions type:

    public ReadOnlyCollection<CertificateTemplateRevocationOptions> CertificateTemplateRevocationSettings { get; }

  • New object Microsoft.Clm.Shared.ProfileTemplates.CertificateTemplateRevocationOptions has the following properties.

    CertificateTemplateCommonNameObtains the string value together with the common name of the current certificate
    RevokeThisCertificateObtains a Boolean value that indicates whether the current certificate that is associated with the smart card or the software profile that is to be operated on during a revoke operation will also be revoked.
    PublishBaseCRLObtains a Boolean value that indicates whether a revocation operation causes the base certificate revocation list (CRL) to be published.
    PublishDeltaCRLObtains a Boolean value that indicates whether a revocation operation causes a delta CRL to be published.

FIM synchronization service

Issue 1
The management agent for Active Directory receives a "Replication Access Denied" error when you run a Delta Import run profile step on domains that contain a read-only domain controller (RODC).

The documentation currently indicates that the account that is used in the management agent for Active Directory should have replicating directory changes. This is insufficient for domains that have the RODC feature enabled. The account that is used in the management agent for Active Directory should also be granted the replication directory changes in filter set permission to run Delta Import in such domains.

Issue 2
When a new synchronization rule is created and is projected into the metaverse, the following situation occurs whenever a synchronization rule does not project because of a synchronization error:
  • The synchronization exception causes the synchronization engine to remove the newly projected metaverse object because the synchronization failed.
  • The synchronization engine does not remove the import attribute flow rules that were added in the server configuration during the synchronization of the metaverse object.

  • Changes to the existing synchronization rule that failed initial sync do no resolve the problem.
  • The replacement of that synchronization rule does not resolve the problem.

After you apply this update, synchronization rule fragments will not be left in the server configuration when an attempt at failed projection or synchronization is made.

BHOLD and Access Management Connector

Issue 1
When you create delta-attestation campaign in BHOLD Analytics, an error message is displayed regardless of whether the campaign was created. After you apply this update, the error message is displayed only if there were errors when the campaign was created.

Issue 2
In BHOLD Attestation, user interface elements may not be available with new versions of Internet Explorer. After you apply this update, web forms work and are displayed as expected.


Learn about the terminology that Microsoft uses to describe software updates.