A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
You must have Microsoft Forefront Identity Manager 2010 installed to apply this hotfix.
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix rollup replaces the following hotfix rollup:
A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time
item in Control Panel.
|File name||File version||File size||Date||Time|
Fixed issues that relate to Certificate Management
The following issue is fixed in this hotfix package:Issue 1
The requests that are submitted by the Online Update Service cannot update the target attribute in Active Directory in Certificate Management of FIM 2010.
Fixed feature and issues that relate to Credential Management
The following feature and issues are fixed in this hotfix package:
The Password Reset registration wizard does not let organizations provide a link to their data policy. This hotfix adds a fix to provide a feature by which you can insert a link to an organization’s data policy and display that link in the Password Reset registration wizard. To enable this feature, you must set the PrivacyLink
(REG_SZ) registry value after you apply this hotfix. This fix is available in the Identity Manager 2010 Group Policy Templates. To obtain the Group Policy templates, visit the following Microsoft Download Center website:
This hotfix enables the self-service password reset registration cache feature to work correctly.
When the registration cache feature is enabled, users who are registered for password reset will have their registration checked periodically to make sure that it is up to date. Users who are not registered will continue to be prompted to register for password reset every time that they log on to Windows.Issue 2
The type for the CacheInterval and MaxOffset registry values is set to REG_SZ in the Group Policy Templates. This hotfix corrects the type to REG_DWORD. This fix is available in the Identity Manager 2010 Group Policy Templates. To obtain the Group Policy templates, visit the following Microsoft Download Center website:Issue 3
The password reset portal returns the following error message after an IIS Reset:
An unexpected error has occurred.
Added feature that relates to Declarative Provisioning
The following feature is added in this hotfix package:Feature 1
This hotfix enables an outgoing synchronization rule to use a flow scope that accommodates more than two resource types.
Fixed issue that relates to Common UI
The following issue is fixed in this hotfix package:Issue 1
When there are more than seven UocListViews in a single Resource Control Display Configuration (RCDC), the UocListView is rendered in the wireframe view instead of in the graphical view.
Fixed issues and features that relate to Sync Engine
The following features and issues are fixed in this hotfix package:
The hotfix introduces a new registry key, MinimalObjectLogging. This lets less information be logged if an error has occurred during a run.
For more information about this registry key, visit the following Microsoft TechNet website: Feature 2
This hotfix writes an error message to the event log when a management agent run encounters staging errors.Feature 3
A management agent can have several partitions. For example, the management agent for Active Directory can have several partitions where every domain in a forest is a partition. When a whole partition is unselected, all previously imported objects are kept in the connector space. Then, a full import on any other partitions removes all objects that are in an unselected partition.
In rare circumstances when the recycle bin is enabled on Windows Server 2008 R2, you receive error code 0x80230309. Also, you receive the following error message on the management agent for Active Directory:
The dimage indicates an update or replace operation. But the image does not exist.
A WMI query for MIIS_RunHistory returns no result.Issue 3
The Extensible Connectivity Management Agent (ECMA) has a CustomData property that is used to store the watermark for delta. When the MA encounters an export-not-reimported error, the watermark is not committed.
The hotfix commits the CustomData property even if the error occurs.Issue 4
When the last member is staged to be exported, a multi-mastered attribute generates the error “attribute not found.” This error occurs when the synchronization engine runs an import that brings in a new member instead of running an export as expected.Issue 5
The attribute precedence does not work as expected with Declarative Provisioning and the FIM Service Management Agent.
To resolve the issue, perform one of the following operations after you apply this hotfix:
- Only run full synchronization on the Active Directory Management Agent (MA), which has higher precedence than the FIM MA.
- Only run the preview commit for the linked CS objects of the bad Metaverse objects on the MA, which has higher precedence than the FIM MA.
If you create a new mailbox by using the CreateMailbox method in ExchangeUtils, you may encounter an export-change-not-reimported on the nTSecurityDescriptor attribute.
This hotfix corrects the normalization of this attribute.Issue 7
In rare cases, the synchronization engine may crash with a multi-mastered member attribute.Issue 8
When you change an object type during scripted provisioning, you receive the following error message:
The dimage has a different anchor or primary object class from what is shown on the hologram.
When you run MAs in an unexpected order and remove the very last member of a group, you see the error “0x80070057 (The parameter is incorrect.)” on a multi-mastered, multivalued reference attribute, such as a member of a group.Issue 10
In rare cases, the sync engine may crash during a delta synchronization.
Fixed issues that relate to Workflow EngineIssue 1
When you change dynamic groups in FIM 2010, it takes a long time for the changes to take effect. This hotfix improves the performance when you make these changes.