Enable lockdown mode to require that all configuration changes go through vCenter Server. vSphere 6.0 and later supports normal lockdown mode and strict lockdown mode.

If you want to disallow all direct access to a host completely, you can select strict lockdown mode. Strict lockdown mode makes it impossible to access a host if the vCenter Server is unavailable and SSH and the ESXi Shell are disabled. See Lockdown Mode Behavior.

Procedure

  1. Browse to the host in the vSphere Web Client inventory.
  2. Click Configure.
  3. Under System, select Security Profile.
  4. In the Lockdown Mode panel, click Edit.
  5. Click Lockdown Mode and select one of the lockdown mode options.
    Option Description
    Normal The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell is enabled, access might be possible.
    Strict The host can only be accessed through vCenter Server. If SSH or the ESXi Shell is enabled, running sessions for accounts in the DCUI.Access advanced option and for Exception User accounts that have administrator privileges remain enabled. All other sessions are terminated.
  6. Click OK.