You must follow multiple best practices at all times when you operate your ESXi hosts.

Table 1. ESXi Hosts

Best Practice


Add only system accounts to the ESXi exception users list.


You can add users to the exception users list from the vSphere Client. Such users do not lose their permissions when the host enters lockdown mode. Only add service accounts such as backup agents. Do not add administrative users or user groups to that list.

Install Security Patches and Updates for ESXi hosts.


You install all security patches and updates on the ESXi hosts as soon as the update bundles are available in SDDC Manager.

Do not apply patches to ESXi manually or by using vSphere Update Manager or VMware vCenter Lifecycle Manager in a VMware Cloud Foundation environment unless directed to do-so by support. If you patch the environment without using SDDC Manager can not only lead to a less-secure environment, but may cause problems with automated upgrades or actions in the future.

Do not provide root or administrator level access to CIM-based hardware monitoring tools or other third-party applications.


The CIM system provides an interface that enables hardware-level management from remote applications through a set of standard APIs. Create a limited-privilege, read-only service account for CIM and place this user in the Exception Users list. If a CIM write access is required, create a new role with only the Host.CIM.Interaction permission and apply that role to your CIM service account.

The ESXi host must use approved certificates.


The default self-signed, VMCA-issued host certificate must be replaced with a certificate from a trusted Certificate Authority (CA).