To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode, all operations must be performed through vCenter Server. Only the vpxuser user has authentication permissions, no other users can perform operations against the host directly.

When a host is in lockdown mode, you cannot run vSphere CLI commands from an administration server, from a script, or from vMA against the host. External software or management tools might not be able to retrieve or modify information from the ESXi host.


Users can be assigned DCUI access privileges explicitly via the DCUI Access advanced configuration option. The option has DCUI.Access as the key, and a comma-separated list of ESXi users as the value. Users in the list which can access the DCUI at any time, even if these users are not administrators (Admin role), and even when the host is in lockdown mode.

Enabling or disabling lockdown mode affects which types of users are authorized to access host services, but it does not affect the availability of those services. In other words, if the ESXi Shell, SSH, or Direct Console User Interface (DCUI) services are enabled, they will continue to run whether or not the host is in lockdown mode.

You can enable lockdown mode using the Add Host wizard to add a host to vCenter Server, using the vSphere Web Client to manage a host, or using the Direct Console User Interface (DCUI).


If you enable or disable lockdown mode using the Direct Console User Interface (DCUI), permissions for users and groups on the host are discarded. To preserve these permissions, you must enable and disable lockdown mode using the vSphere Web Client connected to vCenter Server.

Lockdown mode is available only on ESXi hosts that have been added to vCenter Server.