The ESXi Shell is disabled by default on ESXi hosts. You can enable local and remote access to the shell if necessary.

Enable the ESXi Shell for troubleshooting only. The ESXi Shell is independent of in lockdown mode. The host running in lockdown mode does not prevent you from enabling or disabling the ESXi Shell.

See vSphere Security.

ESXi Shell

Enable this service to access the ESXi Shell locally.


Enable this service to access the ESXi Shell remotely by using SSH.

See vSphere Security.

Direct Console UI (DCUI)

When you enable this service while running in lockdown mode, you can log in locally to the direct console user interface as the root user and disable lockdown mode. You can then access the host using a direct connection to the VMware Host Client or by enabling the ESXi Shell.

The root user and users with the Administrator role can access the ESXi Shell. Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role. By default, only the root user can run system commands (such as vmware -v) by using the ESXi Shell.


Do not enable the ESXi Shell unless you actually need access.