diff --git a/src/Agent.Listener/Configuration/ConfigurationManager.cs b/src/Agent.Listener/Configuration/ConfigurationManager.cs
index eb867b51f2..e2f7b3c2cf 100644
--- a/src/Agent.Listener/Configuration/ConfigurationManager.cs
+++ b/src/Agent.Listener/Configuration/ConfigurationManager.cs
@@ -120,13 +120,13 @@ public async Task ConfigureAsync(CommandSettings command)
                     break;
                 case PlatformUtil.OS.Windows:
                     // Warn and continue if .NET 4.6 is not installed.
-                    #pragma warning disable CA1416 // SupportedOSPlatformGuard not honored on enum members
+#pragma warning disable CA1416 // SupportedOSPlatformGuard not honored on enum members
                     if (!NetFrameworkUtil.Test(new Version(4, 6), Trace))
                     {
                         WriteSection(StringUtil.Loc("PrerequisitesSectionHeader")); // Section header.
                         _term.WriteLine(StringUtil.Loc("MinimumNetFrameworkTfvc")); // Warning.
                     }
-                    #pragma warning restore CA1416
+#pragma warning restore CA1416
 
                     break;
                 default:
@@ -180,16 +180,34 @@ public async Task ConfigureAsync(CommandSettings command)
                     _term.WriteError(StringUtil.Loc("FailedToConnect"));
                 }
             }
-            
-            // We want to use the native CSP of the platform for storage, so we use the RSACSP directly
+
+            bool rsaKeyGetConfigFromFF = global::Agent.Sdk.Knob.AgentKnobs.RsaKeyGetConfigFromFF.GetValue(UtilKnobValueContext.Instance()).AsBoolean();
+
             RSAParameters publicKey;
-            var keyManager = HostContext.GetService<IRSAKeyManager>();
-            var ffResult = await keyManager.GetStoreAgentTokenInNamedContainerFF(HostContext, Trace, agentSettings, creds);
-            var enableAgentKeyStoreInNamedContainer = ffResult.useNamedContainer;
-            var useCng = ffResult.useCng;
-            using (var rsa = keyManager.CreateKey(enableAgentKeyStoreInNamedContainer, useCng))
+
+            if (rsaKeyGetConfigFromFF)
+            {
+                // We want to use the native CSP of the platform for storage, so we use the RSACSP directly
+                var keyManager = HostContext.GetService<IRSAKeyManager>();
+                var ffResult = await keyManager.GetStoreAgentTokenInNamedContainerFF(HostContext, Trace, agentSettings, creds);
+                var enableAgentKeyStoreInNamedContainer = ffResult.useNamedContainer;
+                var useCng = ffResult.useCng;
+                using (var rsa = keyManager.CreateKey(enableAgentKeyStoreInNamedContainer, useCng))
+                {
+                    publicKey = rsa.ExportParameters(false);
+                }
+            }
+            else
             {
-                publicKey = rsa.ExportParameters(false);
+                // We want to use the native CSP of the platform for storage, so we use the RSACSP directly
+                var keyManager = HostContext.GetService<IRSAKeyManager>();
+                var result = keyManager.GetStoreAgentTokenConfig();
+                var enableAgentKeyStoreInNamedContainer = result.useNamedContainer;
+                var useCng = result.useCng;
+                using (var rsa = keyManager.CreateKey(enableAgentKeyStoreInNamedContainer, useCng))
+                {
+                    publicKey = rsa.ExportParameters(false);
+                }
             }
 
             // Loop getting agent name and pool name
diff --git a/src/Agent.Listener/Configuration/IRSAKeyManager.cs b/src/Agent.Listener/Configuration/IRSAKeyManager.cs
index e8f810ed8c..f6f5dce38e 100644
--- a/src/Agent.Listener/Configuration/IRSAKeyManager.cs
+++ b/src/Agent.Listener/Configuration/IRSAKeyManager.cs
@@ -60,6 +60,14 @@ public static class IRSAKeyManagerExtensions
 
             return (enableAgentKeyStoreInNamedContainerFF, useCngFF);
         }
+
+        public static (bool useNamedContainer, bool useCng) GetStoreAgentTokenConfig(this IRSAKeyManager _)
+        {
+            var useNamedContainer = AgentKnobs.StoreAgentKeyInCSPContainer.GetValue(UtilKnobValueContext.Instance()).AsBoolean();
+            var useCng = AgentKnobs.AgentKeyUseCng.GetValue(UtilKnobValueContext.Instance()).AsBoolean();
+
+            return (useNamedContainer, useCng);
+        }
     }
 
     // Newtonsoft 10 is not working properly with dotnet RSAParameters class
diff --git a/src/Agent.Sdk/Knob/AgentKnobs.cs b/src/Agent.Sdk/Knob/AgentKnobs.cs
index 0cad3aecca..df35a7f4dc 100644
--- a/src/Agent.Sdk/Knob/AgentKnobs.cs
+++ b/src/Agent.Sdk/Knob/AgentKnobs.cs
@@ -663,5 +663,11 @@ public class AgentKnobs
             new RuntimeKnobSource("AZP_AGENT_USE_INTEROP_TO_FIND_PARENT_PROCESS"),
             new EnvironmentKnobSource("AZP_AGENT_USE_INTEROP_TO_FIND_PARENT_PROCESS"),
             new BuiltInDefaultKnobSource("false"));
+
+        public static readonly Knob RsaKeyGetConfigFromFF = new Knob(
+            nameof(RsaKeyGetConfigFromFF),
+            "Get config from FF.",
+            new EnvironmentKnobSource("RSAKEYGETCONFIGFROMFF"),
+            new BuiltInDefaultKnobSource("false"));
     }
 }