Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Enabling or disabling Lockdown mode on an ESXi host (1008077)

Details

To increase the security of your ESXi hosts, you can put them in Lockdown mode. This article provides information on enabling or disabling Lockdown mode on an ESXi host.

Solution

ESXi 6.0:

Starting with vSphere 6.0, you can select normal Lockdown mode or strict Lockdown mode, which offer different degrees of lockdown. 

Normal Lockdown mode:

In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host's Direct Console Interface and exit lockdown mode. Only these accounts can access the Direct Console User Interface: 

  • Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode. 
  • Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host. 
Strict Lockdown mode:

In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.

For more information on Lockdown mode in vSphere 6.0, see the Lockdown Mode section in the vSphere Security Guide.

To enable or disable Lockdown mode from the DCUI:
  1. Log directly in to the ESXi host.
  2. Open the DCUI on the host.
  3. Press F2 for Initial Setup.
  4. Press Enter to toggle the Configure Lockdown Mode setting.
To enable or disable Lockdown mode from the vSphere Web Client:
  1. Browse to the host in the vSphere Web Client inventory.
  2. Click the Manage tab and click Settings.
  3. Under System, select Security Profile.
  4. In the Lockdown Mode panel, click Edit.
  5. Click Lockdown Mode and select one of the lockdown mode options.

ESXi 5.x and prior:

When you enable Lockdown mode, only the vpxuser has authentication permissions. Other users cannot perform any operations directly on the host. Lockdown mode forces all operations to be performed through vCenter Server. A host in Lockdown mode cannot run vCLI commands from an administration server, from a script, or from the vMA on the host. In addition, external software or management tools might not be able to retrieve or modify information from the ESXi host.

For more information on Lockdown mode, see the vSphere Security Guide (for vSphere 5.x) or the ESXi Configuration Guide (for earlier versions).

You can enable Lockdown mode from the Direct Console User Interface (DCUI).

Notes:
  • These procedures are for ESXi only.
  • The host profile does not have a setting to enable or disable Lockdown mode.
  • Configure Lockdown Mode will be grayed out if vCenter is down or the host is disconnected from vCenter.
  • None of the troubleshooting services will work after Lockdown mode is enabled.
If you enable or disable Lockdown mode using the DCUI, permissions for users and groups on the host are discarded. To preserve these permissions, you must enable or disable Lockdown mode using the vSphere Client connected to vCenter Server.

To enable Lockdown mode:
  1. Log directly in to the ESXi host.
  2. Open the DCUI on the host.
  3. Press F2 for Initial Setup.
  4. Press Enter to toggle the Configure Lockdown Mode setting.

Using troubleshooting services

By default, troubleshooting services in ESXi hosts are disabled. You can enable these services if necessary. Troubleshooting services can be enabled or disabled irrespective of the Lockdown mode on the host.

The various troubleshooting services are:
  • Local Tech Support Mode (TSM): You can enable this service to troubleshoot issues locally.
  • Remote Tech Support Mode Service (SSH): You can enable this service to troubleshoot issues remotely.
  • Direct Console User Interface Service (DCUI): When you enable this service while running in Lockdown mode, you can log in locally to the Direct Console User Interface as the root user and disable Lockdown mode. You can then troubleshoot the issue using a direct connection to the vSphere Client or by enabling Tech Support Mode.

    For information on Tech Support Mode, see Tech Support Mode for Emergency Support (1003677) or Using Tech Support Mode in ESXi 4.1 and ESXi 5.x (1017910).

Enabling or disabling the Lockdown mode using ESXi Shell

You can run these commands from the vSphere CLI to verify the status of the Lockdown mode and to enable/disable it.

ESXi 5.x and 4.1
  • To check if Lockdown mode is enabled: vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
  • To disable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit
  • To enable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
ESXi 4.0
  • To check if Lockdown mode is enabled: vim-cmd -U dcui vimsvc/auth/admin_account_is_enabled
  • To disable Lockdown mode: vim-cmd -U dcui vimsvc/auth/admin_account_enable
  • To enable Lockdown mode: vim-cmd -U dcui vimsvc/auth/admin_account_disable
Note: To check the status or disable Lockdown mode when Lockdown mode is already enabled, you must enter the Direct Console User Interface Service (DCUI) and then run these commands on the ESXi host.

Enabling or disabling Lockdown mode using PowerCLI

To enable Lockdown mode using PowerCLI, run this command:

(get-vmhost <hostname> | get-view).EnterLockdownMode() | get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name LockDown

To disable Lockdown mode, run this command:

(get-vmhost <hostname> | get-view).ExitLockdownMode()

To batch modify Lockdown mode using PowerCLI, save this text in a *.PS1 file and run with PowerCLI:

$vCenter = 'vCenterServer_Name_or_IP_address'
Connect-VIServer $vCenter
$Scope = Get-VMHost #This will change the Lockdown Mode on all hosts managed by vCenter
foreach ($ESXhost in $Scope) {
(get-vmhost $ESXhost | get-view).ExitLockdownMode() # To DISABLE Lockdown Mode
#(get-vmhost $ESXhost | get-view).EnterLockdownMode() # To ENABLE Lockdown Mode
}
Disconnect-VIServer -Server $vCenter -Confirm:$false

For more information, see the vSphere Command-Line Interface Documentation.

Additional Information

For translated versions of this article, see:

Tags

enabling-disabling-lockdown-mode  configure-esxi-options  esxi-lockdown-mode

Update History

01/10/2010 - Indicated that the host profile does not have a setting to enable or disable Lockdown mode 07/08/2011 - Added PowerCLI commands to enable and disable lockdown mode 02/08/2012 - Added steps for ESXi 5.0, Enabling and disabling the Lockdown mode 02/19/2013 - Updated for ESXi 5.1 07/23/2013 - Added script to batch modify Lockdown mode

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 25 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 25 Ratings
Actions
KB: