Visitors

HOW TO: Enable or Disable Lockdown Mode on VMware vSphere ESXi host

Q: What is Lockdown Mode?
A: Lockdown Mode prevents users from logging directly to the host. The host will only be accessible through local console or vCenter Server. None of remote management options e.g. vCLI, PowerCLI script, SSH will work. When it is enabled, only vpxuser () has authentication permissions and can connect to the host remotely.

How can you enable/disable Lockdown Mode:

  1. From the Direct Console User Interface (DCUI);
  2. From vSphere Client;
  3. Using ESXi Shell;
  4. Using PowerCLI script.


1. Enable/Disable Lockdown Mode from DCUI:

  1. Open server console;
  2. Press F2 to Customize System/View Logs;
  3. Open Configure Lockdown Mode;
  4. Press SPACE to enable or disable lockdown mode;
  5. Press ENTER to save the changes.


2. Enable/Disable Lockdown Mode in vSphere Client:

  1. Open vSphere Client and connect to the host / vCenter Server;
  2. Select the host and click on Configuration tab;
  3. Under Software select Security Profile;
  4. Under Lockdown Mode click Edit;
  5. Tick / Untick Enable Lockdown Mode;
  6. Click OK.


3. Enable/Disable Lockdown Mode in ESXi Shell:

Check if Lockdown mode is enabled: vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
Enable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
Disable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit

Example:

~ # vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
false
~ # vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
~ # vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
true
~ # vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit
~ # vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
false


4. Enable/Disable Lockdown Mode using PowerCLI script:

$vCenter = 'vCenterServer_Name_or_IP_address'
Connect-VIServer $vCenter
 $Scope = Get-VMHost #This will change the Lockdown Mode on all hosts managed by vCenter, amend this if you need to
 foreach ($ESXhost in $Scope) {
 (get-vmhost $ESXhost | get-view).ExitLockdownMode() # To DISABLE Lockdown Mode
 # (get-vmhost $ESXhost | get-view).EnterLockdownMode() # To ENABLE Lockdown Mode
 }
Disconnect-VIServer -Server $vCenter -Confirm:$false

3 comments to HOW TO: Enable or Disable Lockdown Mode on VMware vSphere ESXi host

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>