Q: What is Lockdown Mode?
A: Lockdown Mode prevents users from logging directly to the host. The host will only be accessible through local console or vCenter Server. None of remote management options e.g. vCLI, PowerCLI script, SSH will work. When it is enabled, only vpxuser () has authentication permissions and can connect to the host remotely.
How can you enable/disable Lockdown Mode:
- From the Direct Console User Interface (DCUI);
- From vSphere Client;
- Using ESXi Shell;
- Using PowerCLI script.
1. Enable/Disable Lockdown Mode from DCUI:
- Open server console;
- Press F2 to Customize System/View Logs;
- Open Configure Lockdown Mode;
- Press SPACE to enable or disable lockdown mode;
- Press ENTER to save the changes.
2. Enable/Disable Lockdown Mode in vSphere Client:
- Open vSphere Client and connect to the host / vCenter Server;
- Select the host and click on Configuration tab;
- Under Software select Security Profile;
- Under Lockdown Mode click Edit;
- Tick / Untick Enable Lockdown Mode;
- Click OK.
3. Enable/Disable Lockdown Mode in ESXi Shell:
Check if Lockdown mode is enabled: vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
Enable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
Disable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit
Example:
~ # vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled false ~ # vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter ~ # vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled true ~ # vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit ~ # vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled false
4. Enable/Disable Lockdown Mode using PowerCLI script:
$vCenter = 'vCenterServer_Name_or_IP_address' Connect-VIServer $vCenter $Scope = Get-VMHost #This will change the Lockdown Mode on all hosts managed by vCenter, amend this if you need to foreach ($ESXhost in $Scope) { (get-vmhost $ESXhost | get-view).ExitLockdownMode() # To DISABLE Lockdown Mode # (get-vmhost $ESXhost | get-view).EnterLockdownMode() # To ENABLE Lockdown Mode } Disconnect-VIServer -Server $vCenter -Confirm:$false
On esxi 5.1, when trying to disable lockdown mode from ssh, I receive: Failed to login: Connection refused
Hi Brandon,
Have you enabled ssh on the host? Host–> Configuration –> Security Profile –> Services —> Properties –> SSH –> Option / Start.
[…] ? […]