Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2015-06-28) A Hotfix Rollup Package (Build 4.1.3646.0) Is Available for Forefront Identity Manager 2010 R2 SP1

Posted by Jorge on 2015-06-28

Microsoft released a new hotfix for FIM 2010 R2 SP1 with build 4.1.3646.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3054196

Download link

Issues that are fixed or features that are added in this update

This update also fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Service

Issue 1

When you update the criteria of a group or set, you receive a SQL error if negative conditions exceed 7 in the filter when you click View members. After you apply this update, the View Members button works as expected.

FIM service portals, add-ins and extensions

Issue 1

When you use the FIM Credential Provider Extension for Self-Service Password Reset (SSPR), you cannot answer by using double-byte characters through the Windows Input Method Editor (IME) in the "Question and Answer" gate. After you apply this update double-byte characters are not permitted when you are first creating answers.

Issue 2

In the FIM Password Registration Portal, auto-focus on the first text box can cause the first registration question to be hidden from view. After you apply this update, the text box and its caption now act as a single control when they receive the focus, and the question is no longer hidden from view.

Issue 3

On the FIM Password Registration and Password Reset websites, autocomplete was not disabled for the logon forms. After you apply this update, autocomplete is disabled for all logon forms.

Issue 4

After you apply this update, the Object Picker control in the FIM Identity Management Portal returns invalid results if there were special characters in the search string. After you apply this update, the Object Picker control parses the HTML strings correctly so that the Object Picker control returns the correct results.

Certificate management

Issue 1

The revocation settings in a profile template can only be configured for all certificates together and not for each certificate separately. After you apply this update, the administrator can configure the following settings from the Revocation Settings page for each certificate in the policy:

  • RevokeThisCertificate
  • PublishBaseCRL
  • PublishDeltaCRL

Related changes in the FIM CM API –> Changes in the FIM CM API were also made to accommodate this change.

  • Properties of Microsoft.Clm.Shared.ProfileTemplates.RevocationOptions that were changed or added.

This property is obsolete. Use the PublishBaseCRL property from CertificateTemplateRevocationOptions instead.

This property is obsolete. Use the PublishDeltaCRL property from CertificateTemplateRevocationOptions instead.

This property is obsolete. Use the RevokeThisCertificate property from CertificateTemplateRevocationOptions instead.

Collection with configuration for each certificate template in the profile template
CertificateTemplateRevocationSettings is ReadOnlyCollection of Microsoft.Clm.Shared.ProfileTemplates.CertificateTemplateRevocationOptions type:

public ReadOnlyCollection<CertificateTemplateRevocationOptions> CertificateTemplateRevocationSettings { get; }
  • New object Microsoft.Clm.Shared.ProfileTemplates.CertificateTemplateRevocationOptions has the following properties.


Obtains the string value together with the common name of the current certificate


Obtains a Boolean value that indicates whether the current certificate that is associated with the smart card or the software profile that is to be operated on during a revoke operation will also be revoked.


Obtains a Boolean value that indicates whether a revocation operation causes the base certificate revocation list (CRL) to be published.


Obtains a Boolean value that indicates whether a revocation operation causes a delta CRL to be published.

FIM synchronization service

Issue 1

The management agent for Active Directory receives a "Replication Access Denied" error when you run a Delta Import run profile step on domains that contain a read-only domain controller (RODC).

The documentation currently indicates that the account that is used in the management agent for Active Directory should have replicating directory changes. This is insufficient for domains that have the RODC feature enabled. The account that is used in the management agent for Active Directory should also be granted the replication directory changes in filter set permission to run Delta Import in such domains.

Issue 2

When a new synchronization rule is created and is projected into the metaverse, the following situation occurs whenever a synchronization rule does not project because of a synchronization error:

  • The synchronization exception causes the synchronization engine to remove the newly projected metaverse object because the synchronization failed.
  • The synchronization engine does not remove the import attribute flow rules that were added in the server configuration during the synchronization of the metaverse object.


  • Changes to the existing synchronization rule that failed initial sync do no resolve the problem.
  • The replacement of that synchronization rule does not resolve the problem.

After you apply this update, synchronization rule fragments will not be left in the server configuration when an attempt at failed projection or synchronization is made.

BHOLD and Access Management Connector

Issue 1

When you create delta-attestation campaign in BHOLD Analytics, an error message is displayed regardless of whether the campaign was created. After you apply this update, the error message is displayed only if there were errors when the campaign was created.

Issue 2

In BHOLD Attestation, user interface elements may not be available with new versions of Internet Explorer. After you apply this update, web forms work and are displayed as expected.




* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!



############### Jorge’s Quest For Knowledge #############

######### ########



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: