A hotfix rollup package (build 4.4.1749.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 1 (SP1). This rollup package resolves some issues and adds some improvements that are described in the "More Information" section.

Known issue in this update

Synchronization Service

After you install this update, rules extensions and custom management agents (MAs) based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs if you run such rules extensions or custom MAs after you change the configuration (.config) file for one of the following processes:

  • MIIServer.exe

  • Mmsscrpt.exe

  • Dllhost.exe

For example, you edit the MIIServer.exe.config file to change the default batch size for processing sync entries for the Forefront Identity Manager (FIM) Service MA. In this situation, the synchronization engine installer for this update can't replace the configuration file to avoid deleting your previous changes. This is because if the configuration file is not replaced, entries that are required by this update are not present in the files. Therefore, the synchronization engine does not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.

To resolve this issue, follow these steps:

  1. Make a backup copy for the MIIServer.exe.config file.

  2. Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.

  3. Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following content:


    <assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />

    <bindingRedirect oldVersion="" newVersion="" />


  4. Save the changes to the file.

  5. Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these two files.

  6. Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).

  7. Verify that the rules extensions and custom management agents now work as expected.

Identity Management Portal

After you install this update, the Portal may not be displayed as expected in Internet Explorer. To resolve this issue, follow these steps:

  • Close all Internet Explorer instances.

  • Open the Internet Options control panel.

  • Delete all history and cached files.

If this issue still exists, make sure that the version of Internet Explorer is version 11 or a later version. If you are running versions that are earlier than version 11, there may be display inconsistencies compared with the Portal that is displayed in version 11.

Update information

Microsoft Download Center

A supported update is available from the Microsoft Download Center. We recommend that all customers apply this update to their production systems.

Download the update for Microsoft Identity Manager 2016 SP1 (KB4050936) now


To apply this update, you must have Microsoft Identity Manager 2016 build 4.4.1302.0.

Restart requirement

You must restart the computer after you apply the Add-ins and Extensions (Fimaddinsextensions_xnn_KB4050936.msp) package. You may also have to restart the server components.

Replacement information

This is a cumulative update that replaces all MIM 2016 SP1 updates up to build 4.4.1642.0 for Microsoft Identity Manager 2016.

File information

The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File name

File version

File size




Not applicable





Not applicable





Not applicable





Not applicable





Not applicable





Not applicable





Not applicable





Not applicable





Not Applicable




More information

Issues that are fixed or improvements that are added in this update

This update makes the following fixes and improvements that were not previously documented in the Microsoft Knowledge Base.

Service and Portal

This update fixes a security vulnerability in Microsoft Identity Manager 2016 SP1 Service and Portal. Before this update, the vulnerability could be exploited when a user visits a specially crafted object in the MIM Service through the MIM Portal by using a web browser. This situation would be relevant in environments where an attacker could cause the creation of objects in MIM or a connected directory that is synchronized to MIM. Depending on the browser settings, the vulnerability could allow for Cross-Site Scripting or Dynamic Execution of JavaScript in the user’s web browser. After installation of this update, viewing the object does not affect the web browser execution.

MIM Service

Issue 1

When you update to build 4.4.1459.0, you may experience a database upgrade failure. A foreign key constraint violation exception is recorded in the database upgrade log. This might occur if the MIM SP1 language pack has been installed.

This update adds a new logic so that you won't experience the same problem. 

Issue 2

When you execute self-service password reset requests, the MIM Service randomly stops. 

After you install this update, this issue no longer happens.

Issue 3

The New-PAMDomainConfiguration PowerShell cmdlet sets an incorrect value for domain trust configuration. 

After you install this update, the quarantine value reflects the value from the domain trust. 

For example:

Before you install this update, the New-PAMDomainConfiguration cmdlet sets quarantine=yes on the domain configuration object in the FIMService database even if the definition is defined as follows:

Netdom trust corp_domain /Quarantine:no domain priv_domain

After you install this update, the quarantine value will be set to no as expected. 

Issue 4

Email notification request fails and returns a PostProcessingError status. 

Example error message:  

System.InvalidOperationException: This unknown request parameter cannot be processed.

   at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)

   at Microsoft.ResourceManagement.WFActivities.Resolver.ConstructAllChangesActionTable(String parameters)

   at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveAttribute(String match, Boolean isFunctoidArg, ResolverOptions resolveOptions, String& attributeName)

   at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorWithoutAntiXSS(String match, ResolverOptions resolveOptions)

   at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorForWithAntiXSS(String match, ResolverOptions resolveOptions)

   at Microsoft.ResourceManagement.WFActivities.Resolver.ReplaceMatches(String input, Boolean useAntiXssEncoding, ResolverOptions resolveOptions)

   at Microsoft.ResourceManagement.Workflow.Hosting.EmailNotificationServiceImpl.ResolveMailMessage(Guid requestId, Guid targetId, Guid actorId, Dictionary`2 workflowDictionary, String toLine, String ccLine, String bccLine, Guid emailTemplateIdentifier, EmailResolutionOptions options, String& failedToResolvePrincipals)

   at Microsoft.ResourceManagement.Workflow.Activities.EmailNotificationActivity.ResolveMail(Object sender, EventArgs e)

   at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e)

   at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext)

   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)

   at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)

at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime) 

at System.Workflow.Runtime.Scheduler.Run()

After you install this update, this problem no longer occurs.

Issue 5

Under certain circumstances, set calculations do not reflect the correct membership. This problem may occur if an attribute is used in a dynamic set or group filter, and then the binding for that attribute is deleted. 

After you install this update, you can no longer delete a binding for an attribute if that is referenced in a dynamic set or group filter.   

Issue 6

The MIM Service does not work for the Request Approval scenario for Exchange Online to which users can respond through the MIM Add-in for Outlook.

This update adds support for the MIM Service account to log on to Exchange Web Services for Exchange Online. 

Issue 7

The msidmPhoneGatePhoneNumber attribute without a country code does not use the DefaultCountryCode value in MFASettings.xml if the first digits in the phone number match a country code.

In this update, the application is optionally forced to apply a default country code. 

The DefaultCountryCode value in the MFASettings.xml file now has an option to use regex to force application of the default country code. 

For example:

<DefaultCountryCode forceApplyToNumberRegex="^380[0-9]{9}">380</DefaultCountryCode>

380 - countrycode

{9} - phonenumber without countrycode length

Issue 8

Some dynamic set definitions can't be evaluated by the FIMService for set membership transition until the "FIM_TemporalEventsJob" SQL Server Agent job is run.

After you install this update, these set memberships can be updated dynamically without having to rely on "FIM_TemporalEventsJob" to process them.

Issue 9

Synchronization rules don't let you create attribute flow rules for attributes whose names include the hash mark or pound sign (#).

After you install this update, the attributes whose names include the pound sign can be successfully used in attribute flow rules.

MIM Identity Management Portal

Issue 1

An exception is displayed in the main screen of the Identity Management Portal, and a Close button also appears. However, the button has no functionality. 

After you install this update, the Close button is no longer displayed.

Issue 2

Buttons are displayed incorrectly in the Delete Item window. This issue occurs in Internet Explorer, Firefox, and Chrome.

After you install this update, the buttons are displayed correctly.

Issue 3

The Lookup button overlaps the Resource Picker button on an Approval activity window in the Authorization workflow. This issue occurs in Internet Explorer, Firefox, and Chrome. 

After you install this update, this problem no longer occurs.

Issue 4

In the Group properties popup window, the button area overlaps the listview navigation controls on the Delete Members control. This issue occurs in Internet Explorer, Firefox, and Chrome. 

After you install this update, this problem no longer occurs.

Issue 5

Multiple display problems occur, including the following:

  • Up and down arrows are displayed incorrectly in some property sheets.

  • An empty area is created at the bottom of some pages and dialog boxes.

  • Popup overlays are missing.

After you install this update, this problem no longer occurs.

Issue 6

When you use the filter builder (such as Advanced Search) in various areas of the product, the filter builder stops responding if the OK button on a select value dialog box is clicked without an object first being selected in the add statement area.

A new logic is added to the Portal in this update to prevent you from clicking the OK button if no object is selected.

Issue 7

The New Attribute flow window in a synchronization rule edit dialog box does not work as expected in Google Chrome.

After you install this update, the New Attribute flow window is rendered as expected in Chrome. 

Issue 8

In an object management screen (such as Distribution Groups), if multiple objects are selected by using the check box, and the objects have very long display names, the Selected Items dialog box at the bottom of the screen resizes by width and not height. This causes the control to be extended past the right edge of the screen. This issue occurs in Chrome.

After you install this update, the Selected Items dialog box resizes vertically so that the control does not extend past the end of the browser screen.

Issue 9

In an object management or list screen (such as Distribution Groups), the Selected Items control may move up the screen to be directly under the last object that's listed in the table list. This issue occurs in Internet Explorer after you create several new objects of that object type, and then refresh the page.

After you install this update, the Selected Items control stays at the bottom of the window as expected. 

Issue 10

The filter builder (such as advanced search) in the Safari browser is nonfunctional.

After you install this update, the filter builder works in the Safari browser.

Issue 11

When there are multiple words (including at least one that’s very long) in portal dialog boxes that display attribute values, the shorter words are distributed throughout the cell with lots of white space in between instead of being left-aligned. 

After you install this update, the information in the attribute display cell is left-aligned. 

Issue 12

In some browser versions, the Selected Items item isn't updated when the item selection is changed.

After you install this update, the Selected Items item is updated as expected.

Issue 13

Dialog tabs and the Copy to Clipboard button on a popup window are not highlighted when you browse to them by using the Tab key. 

After you install this update, the dialog tabs and Copy to Clipboard button are highlighted when you browse to them by using the Tab key. 

Issue 14

In Internet Explorer 10, when you view an object grid display (such as Distribution Groups), the "Find the distribution groups you want using the search above" banner overlays part of the button ribbon instead of being displayed in the middle of the dialog box. 

After you install this update, this banner is displayed in the middle of the screen as expected.

Issue 15

After you install an update to the MIM Portal, the display of the Portal in Internet Explorer fails. To resolve this issue, delete the Internet Explorer cache through the Internet Options control panel.

After you install this update, the Internet Explorer display works as expected. The correct .css files are loaded for the current Portal assembly version, and the .css files replace those in the Internet Explorer cache.

Issue 16

When you use the Advanced Search in the Firefox browser, pressing the Enter key on an attribute value field returns an error. 

After you install this update, pressing the Enter key in an attribute value field does not return an error in the Firefox browser.

Certificate Management

Issue 1

A request originator (certificate manager) can't abandon a request that's duplicated somehow or just forgotten by a user who has Execution permissions.

This update introduces check boxes in all profile template policies. This enables request originators (certificate managers) to abandon requests if the policy type has no Execution permission.

Issue 2

When you try to renew the TPM Virtual Smart Card certificate from the Modern App, a forbidden exception is returned. 

After you install this update, the Virtual Smart Card renewal succeeds without the forbidden exception.

Issue 3

In some smart card related activities, existing connections to the CertificateManagement database are left open unexpectedly. 

After you install this update, these connections are closed.

Issue 4

When you try to install an update to MIM Certificate Management (CM) before the MIM CM Configuration Wizard is run, the update fails and generates an exception that seems to be unrelated to the problem.

Starting in this update, the Certificate Manager update installer checks against the system to verify that the Configuration Wizard has been run. If the wizard did not run, an error message is returned that states  that the Configuration Wizard must be run before you install the update, and the installation is canceled. 

Issue 5

The MIM CM Configuration Wizard displays incorrect product version information, and the logo isn't displayed correctly. 

After you install this update, the Configuration Wizard displays the correct information.

Issue 6

The exported data for an MIM Certificate Management report differs from the report data. The column data does not always match the column headings.

After you install this update, the exported report data is correct.


Learn about the terminology that Microsoft uses to describe software updates.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!