ESXi Lockdown Mode is a security feature in VMware ESXi that restricts direct access to the ESXi host, allowing access only through vCenter Server. This feature is designed to enhance security by preventing unauthorized users from modifying the ESXi host configuration outside of vCenter Server.
There are two types of lockdown modes in ESXi:
Normal Lockdown Mode:
- In this mode, direct access to the ESXi host is disabled for all users except accounts with “Exception Users” privileges.
- Exception users are configured via the vSphere Client and can still log in to the ESXi host directly using SSH or the Direct Console User Interface (DCUI).
Strict Lockdown Mode:
- In strict mode, all direct access to the ESXi host is disabled, including for exception users.
- The host can only be managed through vCenter Server.
- If vCenter Server becomes unavailable, the ESXi host cannot be accessed directly, making recovery more challenging.
Benefits of Lockdown Mode
- Improved Security: Prevents unauthorized access to ESXi hosts.
- Centralized Management: Ensures all administrative tasks are performed through vCenter Server.
- Reduced Risk: Minimizes configuration drift and potential security vulnerabilities.
Check lockdown status of ESXi in vCenter
The script below lists out all the ESXi hosts in a vCenter and their lockdown mode.
# Connect to the vCenter Server
Connect-VIServer -Server " "<vCenter_Server_IP_or_FQDN>" -User " "<username>" -Password " "<password>"
# Retrieve all ESXi hosts from the vCenter
$esxiHosts = Get-VMHost | Where-Object {$_.ConnectionState -eq "Connected"}
foreach ($esxiHost in $esxiHosts) {
try {
# Get the lockdown mode status
$lockdownMode = $esxiHost.ExtensionData.Config.LockdownMode
# Display lockdown mode status
Write-Host "Host: $($esxiHost.Name)"
Write-Host "Lockdown Mode: $lockdownMode"
Write-Host "--------------------------------------------"
} catch {
Write-Host "Error retrieving lockdown mode status for host: $($esxiHost.Name)"
Write-Host "Error details: $_"
}
}
# Disconnect from the vCenter Server
Disconnect-VIServer -Confirm:$false
Lockdown Mode Values:
lockdownDisabled
: Lockdown mode is disabled.lockdownEnabled
: Lockdown mode is enabled.lockdownStrict
: Strict lockdown mode is enabled.
How Lockdown Mode Works
When lockdown mode is enabled:
- SSH access to the ESXi host is disabled.
- The Direct Console User Interface (DCUI) is restricted based on the lockdown mode type.
- Exception users (in normal mode) or no users (in strict mode) can access the host directly.
Enabling Lockdown Mode
Lockdown mode can be enabled via:
- vSphere Client: Navigate to the host settings and enable lockdown mode.
- PowerCLI: Use scripts to enable or disable lockdown mode across multiple hosts.
Enabling Lockdown Mode via Web Client
Navigate to the Host:
In the inventory, select the ESXi host for which you want to enable lockdown mode.
Go to Host Settings:
Click on the Configure tab.
Under System, select Security Profile.

Enable Lockdown Mode:
In the Lockdown Mode section, click Edit.

Choose the desired mode:
Normal: Allows access for exception users.
Strict: Disables all direct access, even for exception users.
Click OK to apply the changes.
Enabling via Code
When you are enabling lockdown mode on several nodes at once, it makes better sense to use a script.
# Connect to the vCenter Server
Connect-VIServer -Server " "<vCenter_Server_IP_or_FQDN>" -User " "<username>" -Password " "<password>"
# Retrieve all ESXi hosts from the vCenter
$esxiHosts = Get-VMHost | Where-Object {$_.ConnectionState -eq "Connected"}
foreach ($esxiHost in $esxiHosts) {
try {
# Set lockdown mode to "Normal"
$esxiHost.ExtensionData.ConfigManager.HostAccessManager.UpdateLockdownMode("lockdownNormal")
Write-Host "Lockdown mode set to Normal for host: $($esxiHost.Name)"
} catch {
Write-Host "Error setting lockdown mode for host: $($esxiHost.Name)"
Write-Host "Error details: $_"
}
}
# Disconnect from the vCenter Server
Disconnect-VIServer -Confirm:$false
UpdateLockdownMode:
Sets the lockdown mode to “Normal” for each ESXi host.
The mode can be set to "lockdownDisabled"
, "lockdownNormal"
, "lockdownStrict"
.
Enabling via DCUI
Access the DCUI:
- Log in to the ESXi host’s Direct Console User Interface (DCUI) using physical or remote access (e.g., iDRAC, iLO, or IPMI).
Navigate to Lockdown Mode:
- From the DCUI menu, select Configure Lockdown Mode.
Enable Lockdown Mode:
- Choose Enable Lockdown Mode and specify the mode (Normal or Strict).
Save Changes:
- Confirm the changes and exit the DCUI.