When attempting to enable lockdown mode on your ESXi host, you experience these symptoms:

• In the vSphere Client, the status of lockdown mode under Configuration > Security Profile appears as Disabled
• After selecting the Enable Lockdown Mode option and clicking OK, you see the error:
  
  Disabling administrator permission is not supported on the host
  
  
• In the vpxa.log file, located at /var/log/vmware/vpx on ESXi 4.1 and /var/log on ESXi 5.x, you see errors similar to:
  
  
  ERROR task-internal-532441 -- -- vpxapi.VpxaService.removeAdminPermission: vim.fault.DisableAdminNotSupported:
  --> Result:
  --> (vim.fault.DisableAdminNotSupported) {
  --> dynamicType = <unset>,
  --> faultCause = (vmodl.MethodFault) null,
  --> msg = "",
  --> }
  --> Args: Arg vimuser: "vpxuser"
  

• Lockdown mode has been enabled directly on the Direct Console User Interface (DCUI) of the ESXi host, instead of enabling it through vCenter Server.
• The permissions for the DCUI user were removed from the ESXi host.

1. Disable lockdown mode through the DCUI and then enable it through the vCenter Server instead. The vCenter Server does not keep track of lockdown mode state changes that initiated outside of the vCenter Server itself.
   
   
   1. Log directly into the ESXi host.
   2. Open the DCUI on the host.
   3. Press F2 for System Customization.
   4. Disable lockdown mode by toggling the Configure Lockdown Mode setting.
      
      
2. If the DCUI shows that Configure Lockdown Mode is greyed out, the DCUI user permissions may be missing from the host.
   
   
   1. Log into the host directly using the vSphere Client.
   2. Click the Permissions tab.
   3. Right-click anywhere on the blank part of the screen and click Add Permission.
   4. Add the dcui user and select Administrator for the Assigned Role.
   5. Click OK.