NinjaOne Backup — Agent Won't Install: TLS 1.2 & Prerequisites
Audience: T2 Use when: Lockhart fails to install on a device, or the backup agent isn't appearing after you've deployed it.
Why Lockhart Installation Fails
The two most common causes at DTC sites:
- TLS 1.2 is not the default protocol — NinjaOne Backup requires TLS 1.2 for all communication. If TLS 1.0 or 1.1 is the default (common on older Server 2012/2016 builds or Windows 7/10 machines that haven't been updated), the installer fails silently.
- Previous backup agent remnants — old MSP360 / CloudBerry agent files or registry entries conflict with the Lockhart installer.
Step 1 — Check TLS 1.2 Status
# Check current .NET TLS settings (run on the affected device)
[Net.ServicePointManager]::SecurityProtocol
# Should return: Tls12 (or include Tls12 in the list)
# If it only shows Ssl3, Tls, or Tls11 — TLS 1.2 is NOT the default
# Check Windows registry for TLS settings
$paths = @(
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
)
foreach ($path in $paths) {
if (Test-Path $path) {
Get-ItemProperty $path | Select PSPath, Enabled, DisabledByDefault
} else {
Write-Host "Path not found: $path (TLS 1.2 may use defaults)"
}
}
Step 2 — Enable TLS 1.2 (If Not Set)
# Enable TLS 1.2 for both client and server — run as Administrator
# Create registry keys if they don't exist
$tls12Paths = @(
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
)
foreach ($path in $tls12Paths) {
if (-not (Test-Path $path)) {
New-Item -Path $path -Force | Out-Null
}
Set-ItemProperty -Path $path -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 0 -Type DWord
}
# Also set .NET Framework to use TLS 1.2
$netPaths = @(
"HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319",
"HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319"
)
foreach ($path in $netPaths) {
if (Test-Path $path) {
Set-ItemProperty -Path $path -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
}
}
Write-Host "TLS 1.2 enabled. Reboot required before retrying backup agent install."
Reboot the machine, then retry the backup agent installation from NinjaOne.
Step 3 — Check for MSP360 / CloudBerry Remnants
During the MSP360 migration, some devices may still have the old agent installed or leftover components:
# Check for MSP360 / CloudBerry components
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object {
$_.DisplayName -like "*MSP360*" -or
$_.DisplayName -like "*Cloudberry*" -or
$_.DisplayName -like "*Online Backup*" -or
$_.DisplayName -like "*MBS*"
} | Select DisplayName, DisplayVersion, InstallDate
If found: uninstall the old agent from Programs and Features, reboot, then retry the NinjaOne Backup agent install.
Step 4 — Manual Install via NinjaOne
If the agent still won't install automatically via policy:
- NinjaOne → device → Backup tab → Install Backup Agent (if the option appears)
- Or: NinjaOne → device → Terminal → run the install command from the NinjaOne backup setup guide
- Check the Activities tab for install errors — the exact failure reason appears there
Step 5 — Check Install Logs
# Check Windows temp for install log artifacts
Get-ChildItem "C:\Windows\Temp" | Where-Object {$_.Name -like "*Lockhart*" -or $_.Name -like "*NinjaBackup*"} | Select Name, LastWriteTime
# Check the Program Data path for any partial install
Test-Path "C:\ProgramData\NinjaRMM\NinjaOneBackup"
If the NinjaOneBackup folder exists but the service is missing, the install partially ran. Remove the folder manually, reboot, and retry.
Escalate to NinjaOne Support If:
- TLS 1.2 is confirmed enabled, no MSP360 remnants, and install still fails
- Install log shows an error code that doesn't match the above steps
- Device OS version is unusual (Server 2008 R2, Windows 7) — older OS support is limited
Include: OS version, PowerShell version, TLS registry output, and install log from C:\Windows\Temp.