You edit the /etc/ssh/sshd_config file on all hosts to deactivate login as the root user for the SSH daemon and activate secure boot.

You perform the procedure from an ESXi Shell session connected to the ESXi host and on all ESXi hosts in the respective workload domain.


  1. Log in to an ESXi host by using ESXi Shell as root.​
  2. Open the /etc/ssh/sshd_config file by using the VI editor.
    vi /etc/ssh/sshd_config
    1. VMW-ESXI-00005 In the VI editor, add or edit the following line to deactivate login as the root user.
      PermitRootLogin no
    2. Save and close the VI editor.
    3. Restart the SSH service to apply the new configurations.
      /etc/init.d/SSH restart
  3. VMW-ESXI-01108 Activate secure boot on the host.
    /usr/lib/vmware/secureboot/bin/ -c

    If an imaging appliance (VIA) is used to image the ESXi host, the host does not support UEFI, which is a requirement for activating secure boot. ESXi installations done through other methods are supported and can activate UEFI/secure boot.

    If the output indicates that secure boot cannot be activated, correct the discrepancies and try again.

  4. Perform the procedure on the remaining hosts in the current and any other workload domains.