Lockdown Mode

To increase the security of your
ESXi
hosts, you can put them in lockdown mode.
In lockdown mode, all operations must be performed through
vCenter Server
. By default, only the
vCenter Server
system, represented by the vpxuser user, has authentication permissions. No other users can perform operations against a host in lockdown mode.
  • In normal lockdown mode, you can add users to the
    DCUI.Access
    advanced option, which can access the Direct Console User Interface regardless of their privileges on the host. You can also use the
    vSphere Client
    to add Exception users, which can access the Direct Console User Interface if they have host management privileges.
  • In strict lockdown mode, users cannot access the Direct Console User Interface. If
    vCenter Server
    becomes unavailable, the host can no longer be managed.
When a host is in normal or strict lockdown mode, you cannot run ESXCLI commands against the host directly. Instead, you target the
vCenter Server
system that manages the host with the
--server
option and specify the
ESXi
host with the
--vihost
option.
When you enable strict lockdown mode, the Direct Console User Interface service is disabled.
You can enable lockdown mode by using the Add Host wizard to add a host to
vCenter Server
, by using the
vSphere Client
to manage a host, or by using the Direct Console User Interface (DCUI).
See the
vSphere Security
documentation for details on lockdown mode.