The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Search the VMware Knowledge Base (KB)
View by Article ID
Enabling or disabling Lockdown mode on an ESXi host (1008077)
Details
To increase the security of your ESXi hosts, you can put them in Lockdown mode. This article provides information on enabling or disabling Lockdown mode on an ESXi host.
Solution
When you enable Lockdown mode, only the vpxuser has authentication permissions. Other users cannot perform any operations directly on the host. Lockdown mode forces all operations to be performed through vCenter Server. A host in Lockdown mode cannot run vCLI commands from an administration server, from a script, or from the vMA on the host. In addition, external software or management tools might not be able to retrieve or modify information from the ESXi host.
You can enable Lockdown mode from the Direct Console User Interface (DCUI).
Notes:
These procedures are for ESXi only.
The host profile does not have a setting to enable or disable Lockdown mode.
Configure Lockdown Mode will be grayed out if vCenter is down or the host is disconnected from vCenter.
None of the troubleshooting services will work after Lockdown mode is enabled.
If you enable or disable Lockdown mode using the DCUI, permissions for users and groups on the host are discarded. To preserve these permissions, you must enable or disable Lockdown mode using the vSphere Client connected to vCenter Server.
To enable Lockdown mode:
Log directly into the ESXi host.
Open the DCUI on the host.
Press F2 for Initial Setup.
Toggle the Configure Lockdown Mode setting.
Using troubleshooting services
By default, troubleshooting services in ESXi hosts are disabled. You can enable these services if necessary. Troubleshooting services can be enabled or disabled irrespective of the Lockdown mode on the host.
The various troubleshooting services are:
Local Tech Support Mode (TSM): You can enable this service to troubleshoot issues locally.
Remote Tech Support Mode Service (SSH): You can enable this service to troubleshoot issues remotely.
Direct Console User Interface Service (DCUI): When you enable this service while running in Lockdown mode, you can log in locally to the Direct Console User Interface as the root user and disable Lockdown mode. You can then troubleshoot the issue using a direct connection to the vSphere Client or by enabling Tech Support Mode.
Enabling or disabling the Lockdown mode using ESXi Shell
You can run these commands from the vSphere CLI to verify the status of the Lockdown mode and to enable/disable it.
ESXi 5.x and 4.1
To check if Lockdown mode is enabled: vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
To disable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit
To enable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
ESXi 4.0
To check if Lockdown mode is enabled: vim-cmd -U dcui vimsvc/auth/admin_account_is_enabled
To disable Lockdown mode: vim-cmd -U dcui vimsvc/auth/admin_account_enable
To enable Lockdown mode: vim-cmd -U dcui vimsvc/auth/admin_account_disable
Note: To check the status or disable Lockdown mode when Lockdown mode is already enabled, you must enter the Direct Console User Interface Service (DCUI) and then run these commands on the ESXi host.
Enabling or disabling Lockdown mode using PowerCLI
To enable Lockdown mode using PowerCLI, run this command:
(get-vmhost <hostname> | get-view).EnterLockdownMode() | get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name LockDown
01/10/2010 - Indicated that the host profile does not have a setting to enable or disable Lockdown mode
07/08/2011 - Added PowerCLI commands to enable and disable lockdown mode
02/08/2012 - Added steps for ESXi 5.0, Enabling and disabling the Lockdown mode
02/19/2013 - Updated for ESXi 5.1
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.
