{
	"id": "d740af4f-cd35-4cc9-a33b-4cf450aaf816",
	"created_at": "2026-04-06T00:13:16.365774Z",
	"updated_at": "2026-04-10T03:21:39.974886Z",
	"deleted_at": null,
	"sha1_hash": "af6a2ffd691ef959f7d67e848c1f1c13ee15fceb",
	"title": "Enabling or disabling Lockdown mode on an ESXi host",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68892,
	"plain_text": "Enabling or disabling Lockdown mode on an ESXi host\r\nArchived: 2026-04-05 15:28:49 UTC\r\nESXi 6.x and above:\r\nStarting with vSphere 6.0, select normal Lockdown mode or strict Lockdown mode, which offer different degrees\r\nof lockdown.\r\nNormal Lockdown mode:\r\nIn normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and\r\naccess through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host's\r\nDirect Console Interface and exit lockdown mode. Only these accounts can access the Direct Console User\r\nInterface:\r\nAccounts in the Exception User list for lockdown mode who have administrative privileges on the host.\r\nThe Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi\r\nadministrators to this list defeats the purpose of lockdown mode.\r\nFor adding a normal service account to the Exception User list, see Specify Lockdown Mode\r\nException Users \r\nShould a domain user account need to be added to the Exception Users List, this must be done at the\r\nESXi host level with process below:\r\nSee below: To Add Domain user account to the Exception Users List\r\nUsers defined in the DCUI.Access advanced option for the host. This option is for emergency access to the\r\nDirect Console Interface in case the connection to vCenter Server is lost. These users do not require\r\nadministrative privileges on the host.\r\nStrict Lockdown mode:\r\nIn strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere\r\nWeb Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are\r\nenabled and Exception Users are defined. If the connection to the vCenter Server system cannot be restored,\r\nreinstall of ESXi may be required.\r\nTo enable or disable Lockdown mode from the DCUI:\r\n1. Log directly in to the ESXi host.\r\n2. Open the DCUI on the host.\r\n3. Press F2 for Initial Setup.\r\n4. Press Enter to toggle the Configure Lockdown Mode setting.\r\nTo enable or disable Lockdown mode from the vSphere Web Client:\r\n1. Browse to the host in the vSphere Web Client inventory.\r\nhttps://knowledge.broadcom.com/external/article/336894/enabling-or-disabling-lockdown-mode-on-a.html\r\nPage 1 of 4\n\n2. Click the Manage tab and click Settings. (with 6.7, Click the Configure tab)\r\n3. Under System, select Security Profile.\r\n4. In the Lockdown Mode panel, click Edit.\r\n5. Click Lockdown Mode and select one of the lockdown mode options.\r\nAdd Domain user account to the Exception Users List\r\n1. The process is outlined here: Assign Permissions to a User for an ESXi Host in the VMware Host Client\r\n2. Right-click Host in the VMware Host Client inventory and then select Permissions.\r\n3. Click Add user.\r\n4. Click the Select a user text box and type in the domain user account (i.e DOMAIN\\userAccountName)\r\n5. Click the arrow next to the Select a role text box and select Administrator from the list.\r\n6. Click Add and then select Close.\r\n7. Follow the Steps here Specify Lockdown Mode Exception Users\r\n8. After this is done, enable Lockdown Mode (normal) in the vSphere Client UI (vCenter Server GUI) and\r\nthen attempt logging into the DCUI and shell for the ESXI host with the domain user account.\r\nAdd host permissions to the user\r\n1. click on Host (left pane) and select Actions\u003e\u003ePermissions or \r\n2. Right-click Host in the VMware Host Client inventory and then Permissions.\r\n3. click on Add user, and add the user to the administrator role\r\n4. Select Save\r\nESXi 5.x and prior:\r\nWhen enabling Lockdown mode, only the vpxuser has authentication permissions. Other users cannot perform\r\nany operations directly on the host. Lockdown mode forces all operations to be performed through vCenter Server.\r\nA host in Lockdown mode cannot run vCLI commands from an administration server, from a script, or from the\r\nvMA on the host. In addition, external software or management tools might not be able to retrieve or modify\r\ninformation from the ESXi host.\r\nLockdown mode can be enabled from the Direct Console User Interface (DCUI).\r\nNotes:\r\nThese procedures are for ESXi only.\r\nThe host profile does not have a setting to enable or disable Lockdown mode.\r\nConfigure Lockdown Mode will be grayed out if vCenter is down or the host is disconnected from\r\nvCenter.\r\nNone of the troubleshooting services will work after Lockdown mode is enabled.\r\nIf Lockdown mode is enabled or disabled using the DCUI, permissions for users and groups on the host are\r\ndiscarded. To preserve these permissions, enable or disable Lockdown mode using the vSphere Client connected\r\nto vCenter Server.\r\nhttps://knowledge.broadcom.com/external/article/336894/enabling-or-disabling-lockdown-mode-on-a.html\r\nPage 2 of 4\n\nTo enable Lockdown mode:\r\n1. Log directly in to the ESXi host.\r\n2. Open the DCUI on the host.\r\n3. Press F2 for Initial Setup.\r\n4. Press Enter to toggle the Configure Lockdown Mode setting.\r\nUsing troubleshooting services\r\nBy default, troubleshooting services in ESXi hosts are disabled. These services can be enabled if necessary.\r\nTroubleshooting services can be enabled or disabled irrespective of the Lockdown mode on the host.\r\nThe various troubleshooting services are:\r\nLocal Tech Support Mode (TSM): Enable this service to troubleshoot issues locally.\r\nRemote Tech Support Mode Service (SSH): Enable this service to troubleshoot issues remotely.\r\nDirect Console User Interface Service (DCUI): When enabling this service while running in Lockdown\r\nmode, log in locally to the Direct Console User Interface as the root user and disable Lockdown mode.\r\nThen troubleshoot the issue using a direct connection to the vSphere Client or by enabling Tech Support\r\nMode.\r\nNote: To check the status or disable Lockdown mode when Lockdown mode is already enabled, enter the Direct\r\nConsole User Interface Service (DCUI) and then run these commands on the ESXi host.\r\nEnabling or disabling Lockdown mode using PowerCLI\r\nTo enable Lockdown mode using PowerCLI, run this command (Replace \u003chostname\u003e with the actual host name):\r\n(get-vmhost \u003chostname\u003e | get-view).EnterLockdownMode() | get-vmhost | select Name,@{N=\"LockDown\";E=\r\n{$_.Extensiondata.Config.adminDisabled}} | ft -auto\r\nExample: (get-vmhost esxi01.acme.com | get-view).EnterLockdownMode() | get-vmhost | select\r\nName,@{N=\"LockDown\";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto\r\nTo disable Lockdown mode, run this command (Replace \u003chostname\u003e with the actual host name):\r\n(get-vmhost \u003chostname\u003e | get-view).ExitLockdownMode()\r\nExample: (get-vmhost esxi01.acme.com | get-view).ExitLockdownMode()\r\nTo batch modify Lockdown mode using PowerCLI, save this text in a *.PS1 file and run with PowerCLI:\r\n$vCenter = 'vCenterServer_Name_or_IP_address'\r\nConnect-VIServer $vCenter\r\n$Scope = Get-VMHost #This will change the Lockdown Mode on all hosts managed by vCenter\r\nforeach ($ESXhost in $Scope) {\r\nhttps://knowledge.broadcom.com/external/article/336894/enabling-or-disabling-lockdown-mode-on-a.html\r\nPage 3 of 4\n\n(get-vmhost $ESXhost | get-view).ExitLockdownMode() # To DISABLE Lockdown Mode\r\n#(get-vmhost $ESXhost | get-view).EnterLockdownMode() # To ENABLE Lockdown Mode\r\n}\r\nDisconnect-VIServer -Server $vCenter -Confirm:$false\r\nSource: https://knowledge.broadcom.com/external/article/336894/enabling-or-disabling-lockdown-mode-on-a.html\r\nhttps://knowledge.broadcom.com/external/article/336894/enabling-or-disabling-lockdown-mode-on-a.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://knowledge.broadcom.com/external/article/336894/enabling-or-disabling-lockdown-mode-on-a.html"
	],
	"report_names": [
		"enabling-or-disabling-lockdown-mode-on-a.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af6a2ffd691ef959f7d67e848c1f1c13ee15fceb.pdf",
		"text": "https://archive.orkl.eu/af6a2ffd691ef959f7d67e848c1f1c13ee15fceb.txt",
		"img": "https://archive.orkl.eu/af6a2ffd691ef959f7d67e848c1f1c13ee15fceb.jpg"
	}
}