The RSA Authentication Agent for Windows stores its configuration files in the C:\Program Files\Common Files\RSA Shared\Auth Data folder by default.  Updating an RSA Authentication Agent for Windows to send authentications to a new Authentication Manager deployment requires the removal of the failover.dat, sdstatus.12 and securid files and changing sdconf.rec file to point to the new server(s).
 
Since the authentication agent monitors the existence of the node secret on the agent and on the server, if the node secret file is deleted from the agent it also must be deleted from the server. In the Security Console under Access > Authentication Agents > Manage Existing, use the Search Criteria to search for the authentication agent in question.  Once found,click on the agent and select Manage Node Secret… Check the option to clear the node secret and click Save.
   
Changing the configuration files of an RSA Authentication Agent for Windows is a manual task. An administrator could start by making the changes to one RSA Authentication Agent for Windows to ensure the process works before changing further RSA Authentication Agent for Windows configurations.
 
For large deployments an administrator could review the RSA Authentication Agent 7.2 Installation and Administration Guide and read a section called “Deploying the Installation Package to Multiple Computers”. Using this section in the product documentation a new installation package could be created with a new configuration where something like Microsoft System Management Server (SMS) is used to remove the previous installation and replace it with the new installation package (containing the new configuration files). Where the Windows platform hosting the RSA Authentication Agent for Windows software is a member of a domain then GPO templates can be used to configure the authentication agent challenge settings. This would need testing to ensure you get desired results.
Alternatively, customers can engage RSA Professional Services to come up with a solution to change the configuration files on a large number of deployed RSA Authentication Agent for Windows.

Table showing configuration files used by an RSA Authentication Agent for Windows:
 

Filename	Description
sdconf.rec	Configuration record providing the IP addresses of the Authentication Manager instances in the deployment. Generated in the Security Console under Access > Authentication Agents > Generation Configuration File.  Click Generate Config File button. Click the Download_Now link to obtain the AM_Config.zip that contains the sdconf.rec file.
failover.dat	The failover.dat file allows agent auto-registration to complete when the primary instance is unavailable or separated from the agent host by a firewall that uses Network Address Translation (NAT). The file includes a list of the primary and replica instances, and their alias IP addresses.
server.cer	The server certificate used with the authentication agent auto-registration utility. Downloadable from the Security Console under Access > Authentication Agents > Download Server Certificate File. Click Download_Now link to obtain the server.cer
securid	The node secret file is used to encrypt communication between the authentication agent and Authentication Manager.  Created during the first successful authentication attempt between the agent and the Authentication Manager server.
sdstatus.12	This file is created by the agent and contains the list of available Authentication Manager instances and time related information.   If this file is deleted, the authentication agent will recreate this file on the next authentication.
sdopts.rec	Used for manual load balancing an authentication agent.   Appendix A: Configuring Automatic Load Balancing (page 81) of the RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide provides information on how to use the sdopts.rec file and describes a number of parameters that can be used in configuring it.