The goal of this article is to provide an overview of the available builds for MIM 2016 as well as a short overview of the new features they introduce.

This article will not provide an overview of all solved issues.


The FIM 2010 builds are available on
The MIM 2016 builds 4.4.1642.0 and newer are available on


Short URL

Bookmark this page as: http: //


Return to Top

See also

While this article is focusing on MIM2016, a more extensive list of build versions of the entire Identity Management stack is available at


Return to Top

MIM 2016 RTM

Build 4.3.1935.0 (MIM 2016 RTM)

Publication date: August 6, 2015

Build 4.3.2064.0 (KB3092179)

Publication date: 11/Dec/2015

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

MIM add-ins and extensions

Issue 1 This hotfix addresses an issue that affects the password reset window and that occurs on monitors that have high DPI settings when the Windows display sizing of items is set to a custom size, such as 200 percent or more.

Certificate Management

  1. Issue 1 You try to enroll a smart card by having the correct profile selected (with correct adminKey). However, the user PIN doesn't correspond to the smart card PIN policy. In this situation, you receive the following error message: The card cannot be accessed because the wrong PIN was presented.
  2. Issue 2 MIM Configuration Manager Reporting doesn't show smart card settings correctly. Settings are shown only for the Pkcs11 smartcard provider and not for baseCSP.
  3. Issue 3 All policies in the MIM Configuration Manager allows for changes to "Revocation Settings" only for all certificates together. In this fix, a new page is added (CertificateTemplateRevocationSettings) to show "revocation settings" for the selected certificate. Changes to ProfilePolicyrevocationSettingsPage are also made to show all certificates of the profile.

MIM Synchronization Service

  1. Issue 1 When you configure an ECMA2 run profile, you receive a “Value of ‘10’ is not a valid value” error message.
  2. Issue 2 The Sync Engine reports a staging-error during delta import when the Generic LDAP connector detects the renaming of an object distinguished name.
  3. Issue 3 When a rename, or a distinguishedName change, of a user is exported to Oracle Directory Enterprise Edition (ODSEE), that user is removed from group memberships. You expect that the membership reference to the renamed object will be updated, instead.
  4. Issue 4 When unsupported characters are entered in the SMTP address, MIM Sync cannot correctly provision the object into GALSync MA. In this situation, the object fails and throws an error. This problem also causes the object to be duplicated.
  5. Issue 5 ECMA2 Export only MA displays an "The image or delta doesn't have an anchor" error message when you perform an Export, CS Search, or CS Deletion.
  6. Issue 6 The Sync Service stops responding when you stop a run profile for the ECMA connector.
  7. Issue 7 The Active Directory MA interprets objects that are restored in the directory as deleted.
  8. Issue 8 If you call Set-MIISECMA2Configuration to set the configuration for the SharePoint connector (Microsoft.IdentityManagement.Connector.Sharepoint.dll, version 4.3.836.0), the call fails silently but the verbose output says that the operation was successful.
  9. Issue 9 The Set-MIISADMAConfiguration cmdlet supports only a single partition and a single container. In this update, the following changes are made to the parameters of this cmdlet.


The -Partitions parameter allows one or more partitions to be specified in the Active Directory MA.

  • The -Partitions parameter can apply single or multiple containers by using the ";" delimiter. 
  • If the -Partitions parameter is absent, the Set-MIISADMAConfiguration cmdlet behaves in the same manner as it did prior to this update.

Example command that uses the -Partitions parameter:

Set-MIISADMAConfiguration -MAName 'AD_MA' -Forest Contoso.COM -Credentials (Get-Credential Contoso\ma_ADMA) -Partitions 'DC=Contoso,DC=COM;DC=ForestDnsZones,DC=Contoso,DC=COM'


This parameter is updated to allow one or more containers to be specified together with the -Parameters parameter. It uses the following rules:

  • If the –Partitions parameter is present, parameter –Container can now apply to single or multiple containers by using the ";" delimiter.
  • If –Container is absent or no container are given for the partition, all the containers of this partition are selected.
  • If –Partitions is absent, the MIISADMAConfiguration cmdlet behaves in the same manner as it did prior to this update, and –Container can accept only a single containe.

Example command that uses the -Partitions and -Container parameters:

Set-MIISADMAConfiguration -MAName 'AD_MA' -Forest Contoso.COM -Credentials (Get-Credential Contoso\ma_ADMA) -Partitions 'DC=Contoso,DC=COM;DC=ForestDnsZones,DC=Contoso,DC=COM' -Container 'OU=1,DC=Contoso,DC=COM;CN=Users,DC=Contoso,DC=COM;CN=Infrastructure,DC=ForestDnsZones,DC=Contoso,DC=COM'

MIM Portal

  1. Issue 1 This hotfix addresses an issue in the MIM Portal that affects the sorting of a customized list view based on the columns that are specified in the ColumnsToDisplay property.
  2. Issue 2 This hotfix updates HTML elements and attributes in the password registration portal and MIM Portal.
  3. Issue 3 The object picker does not search objects that have special characters in their name.
  4. Issue 4 This hotfix updates the translation of the user interface strings that relate to the ������Password Reset AuthN Workflow” activity into Russian.
  5. Issue 5 This hotfix addresses an issue that affects the Leave Member and Remove Member buttons when the group resource type is customized.
  6. Issue 6 This hotfix adds a new search scope that is named "All Groups" to enable searching for and joining groups if the user does not know whether the group is a security group or a distribution list.
  7. Issue 7 Specific culture localization settings for Spanish and French revert to English.
  8. Issue 8 When you update an integer attribute value on the Extended Attributes tab of an object in the MIM Portal, the value is limited to a 32-bit integer. This issue occurs even though the same attribute allows 64-bit integer values if it is updated outside the Portal .
  9. Issue 9 Resource Control Display Configuration (RCDC) does not allow a default tab to be configured.

In this hotfix, the UOCInitialTabName parameter is added to the URL so that an object loads together with its associated RCDC.


The current RCDC users page has four tabs: General, Work Info, Contact Info, Summary.

If you open the corresponding XML, you find XML code that resembles the following:

<my:Grouping my:Name="WorkInfo" my:Caption="%SYMBOL_WorkInfoTabCaption_END%" my:Enabled="true" my:Visible="true">

If you provide the following code for an RCDC users page, the Work Info tab automatically opens:


Or, if you provide the following code for a default administrators page, the Work Info page automatically opens:


MIM Password Registration Portal

  1. Issue 1 On the Question and Answer page, the initial scroll position is incorrect and prevents users from seeing the initial question.

MIM Service

  1. Issue 1 roker service conversations are closed after a sync export to the MIM Service database.
  2. Issue 2 A custom expression that includes Concatenate() is replaced by a plus sign (+) and generates an error when it is saved.
  3. Issue 3 This hotfix addresses an issue that affects the MIM Service database stored procedures in which deadlocks might occur in approval workflows. In particular, deadlocks might occur in deployments that have complex or general Set definitions (for example, sets that match "/*" instead of specific resource types).


  1. Issue 1 An inconsistency can occur between the Permission name and attribute changes that occur during an export, import, and subsequent export process in MIM Sync. In this case, BHOLD receives duplicates of a renamed group and maintains the original group in the database.
  2. Issue 2 The Attestation Campaign Portal has an incorrectly worded title that displays campaign progress.

Build 4.3.2195.0 (KB3134725)

Publication date: 22/Apr/2016


4.3.2124.0 was replaced by 4.3.2195.0 because of issues.
Issues that are fixed or features that are added in this update
This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

Privileged Access Management (PAM)

Issue 1
Some group memberships may not be removed by the MIM component service after the PAM request expiration period. This hotfix addresses removal of expired group memberships.

Issue 2
A PAM user has their NetBIOS domain name saved in the Service Database and the PAM user can log on to the Portal.

Issue 3
MIM Monitor errors occur when you use the NetBIOS name for source groups.

Issue 4
The New-PAMGroup and New-PAMUser cmdlets do not accept the fully qualified domain name (FQDN) of the Domain.

Note If you use PAM, this is an important update and should be installed in all environments.

MIM add-ins and extensions

Issue 1

The Approval buttons in the Outlook Add-in disappear in some UI interactions.

Issue 2
You receive an "Installation prerequisites not met" error message if you try to install the MIM Add-in for Outlook on a computer that has Outlook 2016 installed.

MIM Certificate Management

Issue 1
The Profile Template Settings Report displays incorrect information. It shows that PIN Rollover is enabled and that the Admin PIN initial value is set even if this is not true. Also if the Diversify Admin Key setting is enabled, it is not displayed in the Profile Template Settings Report.

Issue 2
The "Support for non-FIM CM certificates requests" plug-in doesn't create profiles for external certificates that were created outside MIM Certificate Management (CM).

Issue 3
This hotfix updates the MIM CM CA module tracing and logging, which differs from CM Server application tracing in that CA modules are installed on the AD CS server. How to use the
CA modules tracing 
CA module tracing differs from CM Server application, because CA modules might be installed on a separate computer.
Log location
Events can be viewed in the Microsoft\IdentityManagement\CertificateManagement\Admin log. By default, CA modules also write messages to the system folder %temp% (usually C:\Windows\TEMP). To change the log file location, specify the new path of the file in the registry. Make sure that the directory exists and is writable by the CA.

How to change logs location1.Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration in the registry.
2.Define a new file location in the ClmCATrace registry value.
3.Restart the CA.
Trace switch for ExitModule
Registry location:
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\ExitModules\Clm.Exit
String name: Microsoft.Clm.ExitModule
Value data: The Value data can be one of the following: Verbose|Info|Warning|Error
Trace switch for PolicyModule
Registry location:
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\PolicyModules\Clm.Policy
String name: Microsoft.Clm.PolicyModule
Value data: The Value data can be one of the following values: Verbose|Info|Warning|Error
Trace switch for PolicyModule plugins
Registry location:
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\PolicyModules\Clm.Policy\<plugin’s name>
String name: Microsoft.Clm.PolicyModulePlugins
Value data: The Value data can be one of the following values: Verbose|Info|Warning|Error
Note Unless key is defined, default value is Info. After the Trace Switch is changed, restart the CA.

Issue 4
The "Support for non-FIM CM certificates requests" plug-in doesn't create profiles for external certificates that were created outside the MIM CM.

MIM Synchronization Service

Issue 1

An export-only file-based ECMA2 connector could not export deleted objects.

Issue 2
The msDS-UserPasswordExpiryTimeComputed attribute is displayed as an available attribute in the Select Attributes tab of the Active Directory Domain Services (AD DS) management agent. The msDS-UserPasswordExpiryTimeComputed is a computed attribute in AD DS and is not detected by the import operation. As of this update, the attribute is removed from the list of available attributes in the management agent.

Issue 3
Sometimes during the "Import Server Configuration" stage in the MIM synchronization service (MIISClient), the Import Server Configuration dialog box hangs.

Issue 4
Running more than one run profile with a synchronization task at the same time may cause data corruption.

Note A message box is displayed with a 0x8023063D error code.

Issue 5
After an authoritative restore of Active Directory objects, Active Directory Management Agent (AD MA) delta import mistakenly detects them as deleted.

Issue 6
This update adds the ability to override the default Synchronization engine behavior of changing run profile GUID after export and import of the server configuration.
Note This update adds a special registry subkey to turn on the GUIDs "keeping" mode. To enable "keeping" mode, create the following:
Registry location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Forefront Identity Manager\2010\Synchronization Service
String name: KeepEqualRunPrGuids
Value data: True

Issue 7
This update extends the functionality of the AD MA configuration cmdlets to be able to handle multiple partitions.
Note Set-MIISADMAConfiguration was extended with ‘–Partitions’ with a semicolon (;) separator.
Set-MIISADMAConfiguration -MAName MA_NAME -Forest FORESTNAME -Credentials (Get-Credential) -Partitions "DC=contoso,DC=com; DC=ForestDnsZones,DC=contoso,DC=com"

Issue 8
This update adds a new cmdlet Add-MIISADMARunProfileStep.
Note It adds run profile step "Full import" assigned to partition 'DC=CONTOSO,DC=COM' to the run profile with name 'ADMA_FULLIMPORT' of the management agent AD_MA. If a run profile with this name doesn’t exist, it will be created. The management agent should already exist.
Possible values of the StepType parameter (short form or long one can be used):
Add-MIISADMARunProfileStep -MAName 'AD_MA' -Partition 'DC=CONTOSO,DC=COM' -StepType 'FI' -ProfileName 'ADMA_FULLIMPORT'

Issue 9
MmsScrpt.exe crashes because of the binary having an invalid entry point. The most common error displayed is "Access violation."

MIM Portal

Issue 1

This update enables customizations that have controls shown and hidden based on the state of the email enabling check box.
An additional attribute to RCDC’s configuration data is included in this update. The Now Event element may have a Parameters attribute. For Group RCDC for the OnChangeEmailEnabling event, it should contain a comma-separated (case-sensitive) list of controls to show or hide.
Here is a small sample (part of RCDC) to show how it works:
      <my:Control my:Name="EmailEnabling" my:TypeName="UocCheckBox" my:Caption="%SYMBOL_EmailEnablingCaption_END%" my:Description="%SYMBOL_EmailEnablingDescription_END%" my:AutoPostback="true" my:RightsLevel="{Binding Source=rights, Path=Email}">
         <my:Property my:Name="Text" my:Value="%SYMBOL_EmailEnablingValue_END%"/>

Note If the Parameters attribute is not included, nothing will change versus the previous behavior.

Issue 2
This update adds the ability to fully customize the portal header.
Note Replace the portal header section with custom HTML content (by adding the CustomPortalHeader.html file into the Customizations folder).

MIM Service

Issue 1

During the 4.3.2064.0 hotfix installation, the database upgrade fails if the FIM Service database name is not the default name of FIMService.

Issue 2
Deadlocks may occur during a request evaluation if a complex Set schema is implemented.

Issue 3
The configuration backup tool does not work in MIM.


Issue 1
The applicationdeletealias function is added for the BHOLD web service.
The function name with ARGs may be passed as an argument for the ExecuteXml method.
•userid and applicationid are mandatory arguments
•alias is an optional argument. Without the alias argument explicitly defined, the function deletes all aliases for an app-user pair.

Issue 2
BHOLD Core shows error in the LogItems table upon removing roles from a parent.

Build 4.3.2266.0: KB3171342

Release date: 7/15/2016

To apply this update, you must have Microsoft Identity Manager 2016 build 4.3.1935.0 or a later build installed.

For BHOLD deployments of the BHOLD FIM Integration module or Access Management Connector, you must have this hotfix rollup (4.3.2266.0) installed on your MIM servers before you apply any update to the BHOLD modules.

This update replaces update 3134725 (build 4.3.2195.0) for Microsoft Identity Manager 2016.

Build 4.4.1237.0: DO NOT INSTALL (MIM 2016 SP1)

This build contains MIM 2016 SP1, but requires an uninstall of previous versions. Upgrade is not possible. Intead of installing this build, install build 4.3.1935.0 (MIM 2016 RTM) and apply hotfix build 4.4.1302.0 (SP1 for MIM 2016).

Build 4.4.1302.0: KB3201389 (SP1 for MIM 2016)

This build replaces build 4.3.2266.0.

Build 4.4.1459.0: KB4012498

This build replaces build 4.4.1302.0.

Build 4.4.1642.0: KB4021562

This build replaces build 4.4.1459.0.

Build 4.4.1749.0: KB4050936

This build replaces build 4.4.1642.0.

Build KB4073679

This build replaces build 4.4.1749.0.

Build KB4346632

This build replaces build

Return to Top

FIM 2010 Sharepoint MA

Build 4.3.1935: KB3100358

Issues fixed

This hotfix rollup fixes the following issue that was not previously documented in the Microsoft Knowledge Base.

Issue 1

If there are two or more user profile service applications running in SharePoint Server, regardless of which Application ID is supplied in the MA configuration, you receive the following error message:

IMAExtensible2GetParameters.ValidateConfigParameters: Unable to connect to SharePoint Web Services. Details: Server was unable to process request. Multiple User Profile Applications defined for this Farm: an application ID must be specified to access one of them
This update resolves this issue by targeting incorrect handling of the Application ID by the SharePoint Connector. No user interface changes were made.


Return to Top

Best practices

  • Apply patches in a test or a lab environment before patching your production servers.
  • Keep all FIM solution components on the same patch level.


Return to Top

Additional Resources


To provide feedback about this article, create a post on the FIM TechNet Forum.


Return to Top