How do you manually configure an NTP agent to use the local Pwned hash DB, if you cannot make the change from Enterprise Manager? Is there a setting in the config file that will force the EM to send the latest DB hashes to the agent? I have 2 servers in my dev environment that just won’t update and have the pwned DB on their local agent. So it has to reach back to the DCs, which is fine, however, not our standard. I’d like to know how to update the agent manually so that if EM doesn’t do it, I can do it with a simple update to the config file. Sort of like we can do with the DNS Host name resolution. Appreciate your feedback!
look in the agents SIWindowsAgent.exe.config file for entry:
" add key=“localPwnedDB” value=“FALSE”/ "
(removed start/end <> from above as this site is trying to read it)
The above =“FALSE” tells agent to ask EM to test PW hash. Set to “TRUE” for agent to look at a local data set. Will need to restart agent service after changing value. This may not work if setting it to “TRUE” is for the first time and done manually vs via the EM as EM arranges to send/update the HIBP data.
2 Likes
Thank you Tony, that worked! Had to soften the agent, updated the config, and then restarted the agent, hardened, and all is good. Thanks again! 
2 Likes