Lockdown ModeLast Updated December 19, 2024
To increase the
security of your
hosts, you
can put them in lockdown mode.
In lockdown mode, all
operations must be performed through
.
By default, only the
system, represented by the vpxuser user, has authentication permissions. No
other users can perform operations against a host in lockdown mode.
vSphere 5.x and later supports
normal lockdown mode, as discussed in the vSphere 5.x documentation center.
vSphere 6.0 and later supports more fine-grained management.
- In normal lockdown mode, you can add users to the DCUI.Access advanced option, which can access the Direct Console User Interface regardless of their privileges on the host. Starting with vSphere 6.0, you can also use the to add Exception users, which can access the Direct Console User Interface if they have host management privileges.
- In strict lockdown mode, users cannot access the Direct Console User Interface. If becomes unavailable, the host can no longer be managed.
When a host is in normal or
strict lockdown mode, you cannot run vSphere CLI commands against the host
directly. Instead, you target the
system that manages the host with the
--server
option and specify the
host with
the
--vihost
option.
When you enable strict lockdown
mode, the Direct Console User Interface service is disabled.
You can enable lockdown mode by
using the Add Host wizard to add a host to
,
by using the
to manage a host, or by using the Direct Console User
Interface (DCUI).
See the
vSphere Security
documentation for details on lockdown mode in vSphere 6.x.