Enabling lockdown mode affects which users are authorized to access host services.

Users who were logged in to the ESXi Shell before lockdown mode was enabled remain logged in and can run commands. However, these users cannot disable lockdown mode. No other users, including the root user and users with the Administrator role on the host, can use the ESXi Shell to log in to a host that is in lockdown mode.

Users with administrator privileges on the vCenter Server system can use the vSphere Client to disable lockdown mode for hosts that are managed by the vCenter Server system. Users granted the DCUI Access privilege can always log directly in to the host using the Direct Console User Interface (DCUI) to disable lockdown mode, even if the user does not have the Administrator role on the host. You must use Advanced Settings to grant the DCUI Access privilege.

Note

When you disable lockdown mode using the DCUI, all users with the DCUI Access privilege are granted the Administrator role on the host.

Root users or users with the Administrator role on the host cannot log directly in to the host with the DCUI if they have not been granted the DCUI Access privilege. If the host is not managed by vCenter Server or if the host is unreachable, only DCUI Access users can log into the DCUI and disable lockdown mode. If the DCUI service is stopped, you must reinstall ESXi.

Different services are available to different types of users when the host is running in lockdown mode, compared to when the host is running in normal mode. Nonroot users cannot run system commands in the ESXi Shell.

Lockdown Mode Behavior

Service

Normal Mode

Lockdown Mode

vSphere WebServices API

All users, based on ESXi permissions

vCenter only (vpxuser)

CIM Providers

Root users and users with Admin role on the host

vCenter only (ticket)

Direct Console UI (DCUI)

Users with Admin role on the host and users with the DCUI Access privilege

Users with the DCUI Access privilege.

ESXi Shell

Users with Admin role on the host

No users

SSH

Users with Admin role on the host

No users