VMware vSphere SDKs and Tools 8.0

8.0 7.0 6.7 6.5

Lockdown Mode
Last Updated December 16, 2024

To increase the security of your
ESXi
 hosts, you can put them in lockdown mode.
In lockdown mode, all operations must be performed through
vCenter Server
. By default, only the
vCenter Server
 system, represented by the vpxuser user, has authentication permissions. No other users can perform operations against a host in lockdown mode.
  • In normal lockdown mode, you can add users to the
    DCUI.Access
     advanced option, which can access the Direct Console User Interface regardless of their privileges on the host. You can also use the
    vSphere Client
     to add Exception users, which can access the Direct Console User Interface if they have host management privileges.
  • In strict lockdown mode, users cannot access the Direct Console User Interface. If
    vCenter Server
     becomes unavailable, the host can no longer be managed.
When a host is in normal or strict lockdown mode, you cannot run ESXCLI commands against the host directly. Instead, you target the
vCenter Server
 system that manages the host with the
--server
 option and specify the
ESXi
 host with the
--vihost
 option.
When you enable strict lockdown mode, the Direct Console User Interface service is disabled.
You can enable lockdown mode by using the Add Host wizard to add a host to
vCenter Server
, by using the
vSphere Client
 to manage a host, or by using the Direct Console User Interface (DCUI).
See the
vSphere Security
 documentation for details on lockdown mode.

Content feedback and comments