Enable lockdown mode to require that all configuration changes go through vCenter Server. vSphere 6.0 and later supports normal lockdown mode and strict lockdown mode.

To completely disallow all direct access to a host, you can select strict lockdown mode. Strict lockdown mode makes it impossible to access a host if the vCenter Server is unavailable and SSH and the ESXi Shell are disabled. See Lockdown Mode Behavior.

1

Browse to the host in the vSphere Web Client inventory.

2

Click the Manage tab and click Settings.

3

Under System, select Security Profile.

4

In the Lockdown Mode panel, click Edit.

5

Click Lockdown Mode and select one of the lockdown mode options.

Option

Description

Normal

The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell are enabled, access might be possible.

Strict

The host can only be accessed through vCenter Server. If SSH or the ESXi Shell are enabled, running sessions for accounts in the DCUI.Access advanced option and for Exception User accounts that have administrator privileges remain enabled. All other sessions are terminated.

6

Click OK.