Lockdown mode prevents remote personnel from logging in to the ESXi host by using the root login name.

By default, lockdown mode is disabled. If you enable lockdown mode and do not configure other local host user accounts to have standalone host access through the vSphere Client, the root user does not have access through the vSphere API and CLI. Users can still access the host through the direct console or through an authorized, centralized management application, such as vCenter Server.

When lockdown mode is enabled, you can create a user with administrator privileges to connect to a standalone host. Do not use this approach in environments with numerous hosts, because maintaining separate user password databases for each host might be difficult.

To enable lockdown mode, the host must be in the vCenter Server inventory. You can either enable lockdown mode in the Add Host wizard when you add the host to the vCenter Server inventory or afterwards from the direct console. This procedure describes how to enable lockdown mode from the direct console.


Select Configure Lockdown Mode and press Enter.


Press the spacebar to select Enable Lockdown Mode and press Enter.


Press Enter.