Hotfix Instructions - Kentico 12

Hotfixes enable you to fix problems and apply updates to your installation of Kentico. You can download hotfix packages and view the list of fixed bugs on the Kentico DevNet portal.

If you have the source code version of Kentico, please see Hotfix Instructions - Kentico 12 Source Code.

Kentico 12 Service Pack

The Kentico 12 Service Pack is released in the form of hotfix 12.0.29 or newer. Follow the standard hotfix instructions described on this page to apply the service pack to your project.

We recommend using the latest hotfix version to install the service pack. You may otherwise encounter issues related to the MVC page builder functionality in the initial service pack release.


Always back up your project files and database before applying a hotfix.

Table of Contents

Installing the hotfix

  1. Download the installer for the required hotfix version from the Kentico DevNet portal.
  2. Run the Hotfix_<version>.exe file.
  3. Go through the hotfix installation procedure.

By default, the installer places the hotfix into the C:\Program Files\Kentico\<version>\Hotfix<version> folder.


You can only apply the hotfix to complete Kentico projects that use the standard folder structure (the solution file, GlobalAssemblyInfo.cs, the CMS and Lib sub-folders). For example, the hotfix cannot be applied to deployments of the CMS folder.

If your system stores virtual objects on the file system (due to enabled deployment mode or source control options), you need to return the files to the database before you apply the hotfix. Re-enable deployment mode or source control after you finish the hotfix procedure.

Applying the hotfix

Use the following general process to apply the hotfix (we do not recommend attempting to directly hotfix your live production site):

  1. Set up a local instance of your site (including the web project files and database).

    • You can either maintain a permanent local development instance, or get backups of your production site’s web projects and database for each hotfix.
  2. Hotfix the local instance by running the Hotfix Utility. See: Hotfixing your local project

  3. Test that the hotfixed local website works correctly.

  4. Redeploy the project files to your production environment (using your preferred publishing process).

  5. Apply the hotfix SQL script to your production database. See: Hotfixing your production database

  6. To display all features in the Xperience administration correctly, clear the cache in your browser (and ensure the same for all other administration users).

Hotfixing Microsoft Azure applications

If your website is hosted on Microsoft Azure, the recommended hotfix process is the same as outlined above. First apply the hotfix to a local development instance, then redeploy to Azure and run the hotfix SQL script against your production database.

Hotfixing your local project

Note: For further information, see: Upgrading and hotfixing an instance

  1. Run Kentico Hotfix Utility (Hotfix.exe) from the location where you installed the hotfix (C:\Program Files\Kentico\<version>\Hotfix<version> folder by default).

  2. Select your project folder using the Browse button or type in the path to the project manually.

  3. Use the utility to back up your project files and/or database (or skip these steps if you already have backups).

  4. Select which components you want to update. Click Switch to advanced mode if you wish to change the settings.

    • Kentico files – the files of your web project

    • Setup files – the Kentico Installer and other external utilities (which are separate from the web project)

    • SQL script – the database structure and data

      We recommend updating all components. To successfully complete the hotfix, you need to update the files of your web project and apply the SQL script to the database.

  5. Choose a method of taking the project offline and back online.

  6. Click Next to start the hotfix procedure.

  7. After the update finishes, click Next to view any problems that may have occurred and the instructions to solve them.

    Errors that can commonly occur are conflicts with customized files. By default, the hotfix does not overwrite modified files (unless you enable the Overwrite all files option in advanced mode):

    • For each conflict with a customized file, the process creates the new version of the file with the .new extension. You need to manually transfer your customizations to the new files and then replace the original ones.
    • Customized files that would have otherwise been deleted remain in the file system, with an added .deleted extension.
  8. If you use a project of the web application type, open the Kentico solution in Visual Studio and Rebuild the solution.

  9. Open your website in a browser. For MVC sites, you need to open the URL of the Kentico administration interface (not the live site presented by the MVC application).

    • When handling the first request, the system performs certain tasks required to complete the hotfix. Processing of the first request may take longer than usual.

Preparing the hotfixed project files manually

If you do not wish to go through the user interface of the Hotfix Utility, you can create the hotfixed web project files manually using the command line. For example, this can be useful if you wish to integrate the hotfix into a more complex scripted procedure.

  1. Navigate to the location where you installed the hotfix (C:\Program Files\Kentico\<version>\Hotfix<version> folder by default).

  2. Run Hotfix.exe from the command line with the /deploy and /path parameters:

    • Set the /deploy parameter value based on the type of your web project:
      • net461app – for web application projects
      • net461site – for web site projects
    • Use the /path parameter to specify the location where the utility creates the update files. Use a relative path (folder in the location where the utility was executed) or absolute path (any location on a local disk).

Example: Hotfix.exe /deploy=net461app /path=Deploy

Creates a folder named Deploy in the directory from which the utility was executed, and copies all files and folders necessary for updating a web application project to the given hotfix version.

  1. Copy the update files created by the Hotfix Utility into your Kentico web project’s root folder (including the CMS and Lib folders, and GlobalAssemblyInfo.cs file). Overwrite the original files.

    • If you use a project of the web application type, do NOT copy and overwrite the CMS\CMSApp.csproj file.
    • If you have previously modified some of the project files, do NOT overwrite these files. You need to compare the modified files with the new versions and make appropriate changes manually.
  2. Open DeletedFiles.xml in the update file directory and delete all of the listed files from your web project (you can prepare a batch file to automate the process).

  3. If you use a project of the web application type:

    1. Open the Kentico solution in Visual Studio.

    2. Click Show all files at the top of the Solution Explorer.

    3. Locate and select all newly added files under the CMSApp project.

      • Tip: Identify the new files by using a differencing or merging tool to compare your CMSApp.csproj file with the one from the update files.
    4. Right-click one of the selected new files and click Include in Project.

    5. Rebuild the solution.

Hotfixing MVC projects

For websites created using the MVC development model, you need to apply the hotfix to the Kentico administration application (see above), and additionally update the Kentico code used by your MVC application:

  1. Open your MVC application in Visual Studio.
  2. Right-click your MVC project in the Solution Explorer and select Manage NuGet Packages.
  3. Update the Kentico.AspNet.Mvc NuGet package to the version that matches the applied hotfix.

Hotfixing your production database

Update your production database as the last step in the hotfix process, after you test the hotfix locally. This ensures minimum downtime for your live site while avoiding loss of data.

The hotfix version of the database must match the version of the web project, so you need to perform the update together with the redeployment of the hotfixed project files.

Note: On websites that contain a very large amount of data (particularly pages), the database hotfix process can be very resource intensive. You may need to temporarily scale up the performance of your database server and/or increase the database connection timeout.

To update your production database, manually execute the hotfix database scripts (for example using SQL Management Studio). The script files are located in the SQL folder of your hotfix installation directory.

  • If you do not use separated databases – run Hotfix_separated.sql first and then Hotfix_default.sql.
  • If you use separated databases – run Hotfix_separated.sql on the separated database and Hotfix_default.sql on your main database.
  • Note: The script files may be empty if the given hotfix does not require any SQL scripts for the related tables (skip the file in these cases).

Once the database update is complete, you need to open your website in a browser. For MVC sites, open the URL of the Kentico administration interface (not the live site presented by the MVC application). When handling the first request, the system performs certain tasks required to complete the hotfix. Processing of the first request may take longer than usual.

After your administration application loads up, open the Event log application to validate that the hotfix procedure was completed successfully. Check for the presence of any error events with the HotfixProcedure Source.

After applying the hotfix

All users who work with the Kentico administration interface should clear the cache in their browsers after applying the hotfix. Otherwise, some features in the administration interface may not be displayed correctly.

After applying the hotfix to a development instance that has continuous integration enabled, you need to run complete serialization for all objects to recreate the content of the CIRepository folder (use the Continuous integration application in the Kentico administration interface). Apply the hotfix separately for each instance in your development environment. After one developer commits the hotfixed changes to the source control, other developers CANNOT commit or load changes until they apply the hotfix to their own instance.

Updating setup files and external utilities

Hotfixes provide bug fixes for all files related to the Kentico installation, which includes the installer and other external utilities, such as Kentico Installation Manager and Kentico Service Manager.

To update these files and utilities, you need to apply the hotfix to the setup files:

  1. When running the hotfix utility, click Switch to advanced mode in the Change confirmation step.
  2. Select the Setup files checkbox.
  3. Click Next.
  4. In the Running applications step, stop any applications that are currently running from the setup files.
  5. Click Next and continue through the rest of the hotfix procedure.

The hotfix makes any required changes to the files in the directory where you installed your Kentico setup files.

Additional notes and workarounds


  • E-commerce – Products that use inventory tracking and have the Sell only if items available property enabled may in some cases be sold even when the inventory is depleted, if multiple customers place orders concurrently. After applying the hotfix, the system logs a warning into the event log if such a situation occurs. Additionally, the hotfix allows you to prevent the creation of such orders by enabling strict inventory management – use the new CMSUseStrictInventoryManagement web.config key:

      <add key="CMSUseStrictInventoryManagement" value="true"/>


    With strict inventory management enabled, the system throws an InvalidOperationException when a customer attempts to create an order containing a product that became out-of-stock due to another concurrently placed order. The default checkout web parts on Portal Engine sites handle the exception and display an error message.

    If you wish to enable the CMSUseStrictInventoryManagement key on an MVC site or a Portal Engine site with custom checkout components, you need to manually ensure that your custom code handles the exception and displays appropriate information to customers.

  • MVC – Starting from version 12.0.9, the Kentico.AspNet.Mvc NuGet package no longer directly contains the Kentico API libraries used for MVC development. Instead, the libraries are part of a new Kentico.AspNet.Mvc.Libraries package, which is a dependency. The change does not require any additional steps when updating the package version. The new package allows developers to install the MVC API libraries into custom Class Library projects, without needing to add the entire Kentico.AspNet.Mvc package and its content items (which are only intended for MVC web projects).


  • Form components – The hotfix removes the 500 character restriction placed on the Text area form component for the MVC Form builder. After applying the hotfix, the character limit is by default set to the maximum number of characters allowed by the underlying database column. This change is only reflected in form fields created after the hotfix was applied. Existing form fields based on the Text area component are still restricted to 500 characters.

    Increasing the character limit for existing fields

    To increase the character limit for existing Text area fields, you can remove the fields from your forms and reinsert them again. However, by doing this you lose all data collected by each field up to this point (the underlying database column holding the data is deleted and recreated). Back up your form data before you remove the fields, and then insert it again into the new fields (for example using an SQL script).


  • Form builder – The hotfix introduces additional API that enables more extensive markup customization options for forms built using the Form builder feature. The additions consist of a new static rendering configuration affecting the entire form’s body, and new events that enable contextual modifications of the form and individual form fields (for example, adding accessibility attributes based on a field’s type and required status). See Customizing the Form widget for a full overview and examples of the added API.


  • Staging – X.509 certificate authentication for the staging service did not work on instances hosted as an Azure App Service. The system worked with a different certificate store location than the one used by certificates imported into Azure. After applying the hotfix, the correct certificate store location is used (CurrentUser\My). To use certificates for the staging service on Azure, you also need to make them accessible to the application by following the instructions in Load your certificates.


  • MVC – The Insert link dialog, available in the editor on the Content tab for page fields using the Rich text editor form control, incorrectly created page links with absolute URLs, including the site’s scheme, domain and application path (i.e. the site’s Presentation URL). This could cause broken links when transferring content between different environments, for example using staging. After applying the hotfix, the editor creates page links with virtual relative URLs (~/<link path>). Additionally, the hotfix introduces an output filter that automatically resolves all relative URLs on the side of the MVC live site (based on the environment where the site is actually running). This filter prevents content editors from creating invalid links in cases where your MVC application does not resolve links (by processing the content using the Html.Kentico().ResolveUrls method). If you want to disable this output filter and resolve relative links manually, you can add the CMSMVCResolveRelativeUrls key to the appSettings section of your MVC project’s Web.config file:

      <add key="CMSMVCResolveRelativeUrls" value="false" />

    Fixing existing content with absolute links

    Hotfix 12.0.26 only changes how new page links are saved by the rich text editor. Existing links remain stored with absolute URLs. You can fix the links by resaving them manually after you apply the hotfix. To find links with absolute URLs on your website, you can use the process described in the How to fix links inserted via WYSIWIG editor in Kentico 12 article.

  • Import/Export – When a package containing site-specific data was imported, the system forced the rebuild of all smart search indexes assigned to the site where the data was imported. This occurred for all imported objects and could result in long and unnecessary rebuild operations for large indexes. The hotfix disables the forced index rebuild and introduces a new Rebuild site search indexes setting in the Objects selection step of the import wizard, allowing users to determine whether an index rebuild is necessary for each individual import.


  • Kentico 12 Service Pack – For detailed information about the new features and changes, refer to the Release notes.


  • MVC – When running an MVC site and the Kentico administration application on different domains, a CORS policy error could occur when creating new pages of a content-only page type with the Show Page tab setting enabled. The error was encountered if cross-origin resource sharing was not enabled for the MVC application, and only after installing hotfix 12.0.29 (Service Pack). With hotfix 12.0.30 or newer applied, the resource sharing feature is automatically enabled for all MVC projects.

    • When your MVC application processes requests sent from the domain of the connected Kentico administration application, it now sends a response with the Access-Control-Allow-Origin header, which enables cross-origin resource sharing.
    • The UseResourceSharingWithAdministration method of the ApplicationBuilder instance, which was originally used to enable the resource sharing feature, no longer has any effect. We recommend removing the method from the code of your MVC application.


  • Search – The SearchParameters.PrepareForPages method created a SearchParameters object that forced a specific level of supported smart search syntax for search queries. This interfered with the smart search functionality, for example not allowing exact field searching to be performed (i.e., the syntax field:“searchquery” was incorrectly processed). The hotfix introduces overloads for the SearchParameters.PrepareForPages method that allow users to configure the levels of supported search syntax per search request when creating the SearchParameters object. See Building a search interface for local indexes in MVC or the smart search API Examples for an overview of the added API.


  • Users – Kentico’s ASP.NET Identity integration for MVC projects was tightly coupled with the default Kentico.Membership.User class. Any changes to the User class (e.g., added custom properties or additional logic) required a full re-implementation of the entire ASP.NET Identity integration. The hotfix expands the Kentico membership API by introducing the KenticoUserManager, KenticoUserStore, and KenticoSignInManager types, which allow developers to seamlessly integrate custom user types derived from the default Kentico.Membership.User class. If you wish to extend the default User object when working with Kentico’s Identity integration, use the new types with the Kentico prefix in your application’s code instead of the original non-prefixed types. These types accept a generic parameter that specifies the type of the user class. See Adding custom fields to users for more information and examples.


  • General – When the Kentico application was hosted behind a proxy server or some other service that masks the application’s original domain (e.g., Azure Application Gateway), it generated certain requests with incorrect URLs. This caused errors in parts of the application (e.g., when uploading files into Media libraries). When hosting the Kentico application behind a proxy server, developers need to set the CMSUrlHost web.config key (added by the hotfix) to the host component of the proxy server’s URL (omitting the port number, if specified) to ensure the application correctly generates request URLs.

    For example, assuming the site is running behind the proxy server, add the CMSUrlHost key with the value to the appSettings section of the Kentico project’s web.config file:

    Setting the CMSUrlHost web.config key
      <add key="CMSUrlHost" value="" />

    See Running Kentico behind a proxy server for a detailed, step-by-step walkthrough of the configuration.


  • Modules – The Parent object type property of the Roles application’s Edit role UI element was incorrectly set to A/B test (om.abtest). This could have caused errors when adding child UI elements to the Edit role element. Applying the hotfix sets the Parent object type property to (automatic). Note that this will also overwrite any customizations made to the Edit role element in your project.


  • Authentication – After applying the hotfix, the event arguments for handlers of the SecurityEvents.AuthenticationRequested global event include the query string in the provided redirection URL (in the RequestedUrl property of the AuthenticationRequestEventArgs handler parameter).


  • E-commerce – On instances with hotfix 12.0.12 or newer applied, customers with a filled in Tax registration ID value were incorrectly exempt from tax for products with a tax class that had the Zero tax if tax ID is supplied property disabled.

    Note: Applying hotfix 12.0.42 corrects the default tax exemption, but also reverses the changes from 12.0.12. Custom tax exemptions added using an ICustomerTaxClassService implementation apply only for products under a tax class with the Zero tax if tax ID is supplied property enabled. If you have a custom tax exemption and wish to avoid this behavior, please contact Kentico support.


  • MVC – The administration interface URLs internally used in the Pages application for the preview and page builder editing mode of pages on MVC sites incorrectly had unlimited validity. After applying hotfix 12.0.47, these URLs contain a timestamp parameter and expire after 8 hours by default. If you wish to adjust the expiration time, add the CMSPreviewLinkExpiration key with a value representing a specific number of minutes to the appSettings section of the Kentico administration project’s web.config file:

      <add key="CMSPreviewLinkExpiration" value="240" />
  • MVC – When viewing pages on MVC sites through a preview URL (generated in the Pages application on the Properties -> General tab), links to other pages incorrectly preserved the preview mode and the generated user context. After applying hotfix 12.0.47, the href attributes of such links no longer contain preview URLs and the links instead open the live site version of the targeted page.


  • Page builder – If a page builder component (such as a widget) included scripts that used certain ECMAScript 5 features, an exception could occur in some scenarios when loading page builder scripts on pages containing the component. For example, the error could be encountered after installing the Kentico Rich text inline editor widget.

    Note: After applying the hotfix, the system no longer provides minification of page builder component scripts by default. We recommend that you manually ensure minification of custom component scripts in your project.


  • LinkedIn integration – Due to changes in the LinkedIn integration API, the LinkedIn company management functionality in Kentico did not work. After applying the hotfix, you need to manually perform the following:

    • Obtain permissions for your LinkedIn app that are now required for the integration: rw_organization_admin, r_organization_social, w_organization_social. To get the permissions, you need to apply and be approved as a LinkedIn Partner (LinkedIn Marketing Developer Program).

      1. Sign in to
      2. Select your app on the My apps page.
      3. On the Products tab, click Add more products and select Marketing Developer Platform.
    • Once your LinkedIn app has the required permission, generate new authentication tokens for all LinkedIn company profiles registered in Kentico:

      1. Open the LinkedIn application in Kentico.
      2. Select the Company profiles tab.
      3. Edit the company profile and switch to the General tab.
      4. Click Reauthorize next to Company.
      5. In the opened dialog, enter your LinkedIn account credentials and click Allow access.
      6. Click Save.


  • A/B testing – Page visit conversions for A/B tests on MVC sites were not logged correctly for sites running on a URL without a virtual directory (i.e. hosted directly in the root of an IIS website). After applying the hotfix, the TryGetRelativePath public extension method for System.Uri objects (available in the Kentico.OnlineMarketing.Web.Mvc namespace) returns path values including a leading slash (‘/’).


  • Web farms – If using a database server with relatively low-tier performance (for example an Azure SQL database with under 50 DTUs), timeout errors could occur when the system performed cleanup of web farm tasks, typically when the instance contained large synchronization tasks with binary data. This resulted in event log errors and potentially a buildup of web farm tasks in the database. To fix the issue, either increase the connection time out for the database or lower the batch size for task deletion by adding the new CMSWebFarmTaskDeleteBatchSize key to the appSettings section of the project’s web.config file. The key’s default value is 500.

      <add key="CMSWebFarmTaskDeleteBatchSize" value="100" />


  • Email engine – If using a database server with relatively low-tier performance (for example an Azure SQL database with 400 DTUs) and sending extremely large numbers of emails, cleaning of archived emails could fail and potentially lead to buildup of sent emails, and even performance issues or crashes on the website. Email cleaning is performed by the Clean email queue scheduled task, when the Settings -> System -> Emails -> Archive emails (days) setting is greater than 0. To fix the issue, either scale up the database, increase the database connection timeout, or lower the batch size for archived email deletion by adding the new CMSEmailDeleteBatchSize key to the appSettings section of the project’s web.config file. The key’s default value is 2000.

      <add key="CMSEmailDeleteBatchSize" value="200" />


  • API – After applying the hotfix, the static contexts in the Kentico API, such as SiteContext, ContactManagementContext, or CMSActionContext persist their values within custom asynchronous code (async methods). The changes may in certain cases cause incorrect behavior or exceptions when using the TaskFactory API in custom code. To avoid the issues, enclose the code within an additional call of the CMSThread.Wrap method:

      using CMS.Base;
      Task.Factory.StartNew(CMSThread.Wrap(() =>
          // Custom code


  • E-commerce – Free shipping offers with a Minimum order amount were incorrectly evaluated without subtracting any applied order discounts from the checked order price. After applying the hotfix, orders will no longer qualify for free shipping if their price does not meet the minimum amount after subtracting an order discount. The change may affect existing orders if they are edited and recalculated in the administration interface.


  • Form builder – It was not possible to set a static id attribute for the form HTML element of forms placed using the system’s default Form widget. By default, the system always generated a random id for each form to prevent multiple forms with identical identifiers from being placed on a single page.

    After applying the hotfix, you can suppress this behavior by setting the id attribute via the FormWidgetRenderingConfiguration.FormHtmlAttributes property. However, note that this sets the same id attribute for ALL form widget instances. As a result, having more than one form per page is not supported under this configuration. For more information about customizing the markup of the Form widget, see Customizing the Form widget.


  • Facebook integration – Due to changes in the Facebook API and related permissions, the Facebook page publishing functionality may stop working. To use the feature, you need to apply the hotfix and manually update your Facebook app:
    1. Log in to
    2. Click the Facebook app that you use for your website.
    3. Under Settings > Advanced, upgrade the Facebook API Version to v8.0.
    4. Switch to App Review > Permissions and Features and ensure that your app has the following permissions:
      • pages_manage_posts
      • pages_read_user_content and read_insights (to allow retrieval of Facebook Insights statistics about published posts and the related pages).
    5. In Kentico, open the Facebook application, select the Pages tab, and generate new access tokens for your pages (click Authorize when editing the page).


  • Azure Search – It was not possible to change the domain name suffix of requests generated by the system for Azure Search services (e.g., By default, the system assumes your Azure Search services are hosted on the domain (true for the majority of commercial subscriptions). Search requests for Azure indexes are generated using this suffix and the provided search service name. However, certain Azure subscriptions or licenses host search services under a different domain. For example, Azure Government subscriptions use the domain. The hotfix introduces a new CMSAzureSearchDnsSuffix configuration key, which allows you to change the suffix used by the system when generating Azure search requests.

      <!-- Configures the system to generate requests in format: -->
      <add key="CMSAzureSearchDnsSuffix" value="" />


  • Email engine – Many email services are deprecating support of basic authentication via a username and password. A notable example is Microsoft Exchange Online, which begins disabling basic authentication after October 1, 2022 (see Deprecation of Basic authentication in Exchange Online). The hotfix introduces an alternative way to connect to email servers using OAuth 2.0 token-based authorization. OAuth support covers both SMTP servers and mail servers for monitoring bounced emails (using POP3).
    • To use OAuth authentication for an email server, you need to prepare credentials in Xperience and generate an access token. For detailed information, see OAuth for email servers.

    • By default, the system includes an OAuth provider for Microsoft Exchange Online. Other services require the implementation of a custom provider.

    • Applying the hotfix hides obsolete settings related to the protocol (Is SSL) and authentication mechanism of the email server connection. The new email implementation automatically uses the most secure protocol (HTTPS) and authentication mechanism (NTLM, SCRAM, MD5, Plain, etc.) supported by the email server.

      MailKit NuGet package

      The hotfix adds the MailKit 3.1.1 NuGet package to both the administration and live site projects. This may cause conflicts if your projects contain custom functionality using other versions of this package. In this case, you may need to delay the hotfix and adjust your custom implementation to be compatible.

Fixed bugs

For a full list of bugs covered by the hotfix, open the Hotfixes page on DevNet and click Fixed bugs for the appropriate Kentico version.