You can enable and disable normal lockdown mode from the Direct Console User Interface (DCUI). You can enable and disable strict lockdown mode only from the vSphere Client or the vSphere Web Client.

When the host is in normal lockdown mode, the following accounts can access the Direct Console User Interface:
  • Accounts in the Exception Users list who have administrator privileges on the host. The Exception Users list is meant for service accounts such as a backup agent.
  • Users defined in the DCUI.Access advanced option for the host. This option can be used to enable access in case of catastrophic failure.

For ESXi 6.0 and later, user permissions are preserved when you enable lockdown mode. User permissions are restored when you disable lockdown mode from the Direct Console Interface.

Note: If you upgrade a host that is in lockdown mode to ESXi version 6.0 without exiting lockdown mode, and if you exit lockdown mode after the upgrade, all permissions defined before the host entered lockdown mode are lost. The system assigns the administrator role to all users who are found in the DCUI.Access advanced option to guarantee that the host remains accessible.

To retain permissions, disable lockdown mode for the host from either the vSphere Client or the vSphere Web Client before the upgrade.

Procedure

  1. At the Direct Console User Interface of the host, press F2 and log in.
  2. Scroll to the Configure Lockdown Mode setting and press Enter to toggle the current setting.
  3. Press Esc until you return to the main menu of the Direct Console User Interface.