MIM 2016: New hotfix build 4.3.2124.0 available

Some days ago a new Hotfix for MIM 2016 was relased, it’s build number is 4.3.2124.0

See hotfix details here: https://support.microsoft.com/en-us/kb/3134725

Or direct download the hotfix here: http://hotfixv4.microsoft.com/Microsoft Identity Manager/latest/KB3134725/4.3.2124.0/free/490253_intl_x64_zip.exe

These are the issues that are fixed:

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

Privileged Access Management (PAM)

Issue 1

Some group memberships may not be removed by the MIM component service after the PAM request expiration period. This hotfix addresses removal of expired group memberships.

Note If you use PAM, this is an important update and should be installed in all environments.

MIM add-ins and extensions

Issue 1

The Approval buttons in the Outlook Add-in disappear in some UI interactions.

Issue 2

You receive an “Installation prerequisites not met” error message if you try to install the MIM Add-in for Outlook on a computer that has Outlook 2016 installed.

MIM Certificate Management

Issue 1

The Profile Template Settings Report displays incorrect information. It shows that PIN Rollover is enabled and that the Admin PIN initial value is set even if this is not true. Also if the Diversify Admin Key setting is enabled, it is not displayed in the Profile Template Settings Report.

Issue 2

The “Support for non-FIM CM certificates requests” plug-in doesn’t create profiles for external certificates that were created outside MIM Certificate Management (CM).

Issue 3

This hotfix updates the MIM CM CA module tracing and logging, which differs from CM Server application tracing in that CA modules are installed on the AD CS server.

How to use the CA modules tracing

CA module tracing differs from CM Server application, because CA modules might be installed on a separate computer.

Log location

Events can be viewed in the Microsoft\IdentityManagement\CertificateManagement\Admin log. By default, CA modules also write messages to the system folder %temp% (usually C:\Windows\TEMP). To change the log file location, specify the new path of the file in the registry. Make sure that the directory exists and is writable by the CA.

How to change logs location

  1. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration in the registry.
  2. Define a new file location in the ClmCATrace registry value.
  3. Restart the CA.

Trace switch for ExitModule

Registry location:

HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\ExitModules\Clm.Exit

String name: Microsoft.Clm.ExitModule
Value data: The Value data can be one of the following: Verbose|Info|Warning|Error

Trace switch for PolicyModule

Registry location:

HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\PolicyModules\Clm.Policy

String name: Microsoft.Clm.PolicyModule
Value data: The Value data can be one of the following values: Verbose|Info|Warning|Error

Trace switch for PolicyModule plugins

Registry location:

HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\PolicyModules\Clm.Policy\<plugin’s name>

String name: Microsoft.Clm.PolicyModulePlugins
Value data: The Value data can be one of the following values: Verbose|Info|Warning|Error

Note Unless key is defined, default value is Info. After the Trace Switch is changed, restart the CA.

Issue 4

The “Support for non-FIM CM certificates requests” plug-in doesn’t create profiles for external certificates that were created outside the MIM CM.

MIM Synchronization Service

Issue 1

An export-only file-based ECMA2 connector could not export deleted objects.

Issue 2

The msDS-UserPasswordExpiryTimeComputed attribute is displayed as an available attribute in the Select Attributes tab of the Active Directory Domain Services (AD DS) management agent. The msDS-UserPasswordExpiryTimeComputed is a computed attribute in AD DS and is not detected by the import operation. As of this update, the attribute is removed from the list of available attributes in the management agent.

Issue 3

Sometimes during the “Import Server Configuration” stage in the MIM synchronization service (MIISClient), the Import Server Configuration dialog box hangs.

Issue 4

Running more than one run profile with a synchronization task at the same time may cause data corruption.

Note A message box is displayed with a 0x8023063D error code.

Issue 5

After an authoritative restore of Active Directory objects, Active Directory Management Agent (AD MA) delta import mistakenly detects them as deleted.

Issue 6

This update adds the ability to override the default Synchronization engine behavior of changing run profile GUID after export and import of the server configuration.

Note This update adds a special registry subkey to turn on the GUIDs “keeping” mode. To enable “keeping” mode, create the following:

Registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Forefront Identity Manager\2010\Synchronization Service

String name: KeepEqualRunPrGuids
Value data: True

Issue 7

This update extends the functionality of the AD MA configuration cmdlets to be able to handle multiple partitions.

Note Set-MIISADMAConfiguration was extended with ‘–Partitions’ with a semicolon (;) separator.


Set-MIISADMAConfiguration -MAName MA_NAME -Forest FORESTNAME -Credentials (Get-Credential) -Partitions “DC=contoso,DC=com; DC=ForestDnsZones,DC=contoso,DC=com”
Issue 8

This update adds a new cmdlet Add-MIISADMARunProfileStep.

Note It adds run profile step “Full import” assigned to partition ‘DC=CONTOSO,DC=COM’ to the run profile with name ‘ADMA_FULLIMPORT’ of the management agent AD_MA. If a run profile with this name doesn’t exist, it will be created. The management agent should already exist.

Possible values of the StepType parameter (short form or long one can be used):

  • “EXP”,”EXPORT”


Add-MIISADMARunProfileStep -MAName ‘AD_MA’ -Partition ‘DC=CONTOSO,DC=COM’ -StepType ‘FI’ -ProfileName ‘ADMA_FULLIMPORT’
Issue 9

MmsScrpt.exe crashes because of the binary having an invalid entry point. The most common error displayed is “Access violation.”

MIM Portal

Issue 1

This update enables customizations that have controls shown and hidden based on the state of the email enabling check box.

An additional attribute to RCDC’s configuration data is included in this update. The Now Event element may have a Parameters attribute. For Group RCDC for the OnChangeEmailEnabling event, it should contain a comma-separated (case-sensitive) list of controls to show or hide.

Here is a small sample (part of RCDC) to show how it works:

      <my:Control my:Name="EmailEnabling" my:TypeName="UocCheckBox" my:Caption="%SYMBOL_EmailEnablingCaption_END%" my:Description="%SYMBOL_EmailEnablingDescription_END%" my:AutoPostback="true" my:RightsLevel="{Binding Source=rights, Path=Email}">
         <my:Property my:Name="Text" my:Value="%SYMBOL_EmailEnablingValue_END%"/>

Note If the Parameters attribute is not included, nothing will change versus the previous behavior.

Issue 2

This update adds the ability to fully customize the portal header.

Note Replace the portal header section with custom HTML content (by adding the CustomPortalHeader.html file into the Customizations folder).

MIM Service

Issue 1

During the 4.3.2064.0 hotfix installation, the database upgrade fails if the FIM Service database name is not the default name of FIMService.

Issue 2

Deadlocks may occur during a request evaluation if a complex Set schema is implemented.

Issue 3

The configuration backup tool does not work in MIM.


Issue 1

The applicationdeletealias function is added for the BHOLD web service.

The function name with ARGs may be passed as an argument for the ExecuteXml method.


  • userid and applicationid are mandatory arguments
  • alias is an optional argument. Without the alias argument explicitly defined, the function deletes all aliases for an app-user pair.
Issue 2

BHOLD Core shows error in the LogItems table upon removing roles from a parent.



About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

One Response to MIM 2016: New hotfix build 4.3.2124.0 available

  1. Peter Stapf says:

    There is also a similar hotfix for FIM 2010 R2, build 4.1.3721.0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: