• You cannot log in to the ESXi host directly via SSH or the ESXi Host Client.

• Third-party management tools, backup agents, or hardware consoles fail to connect to the ESXi host.

• Lockdown Mode is currently enabled on the host.

VMware vSphere ESXi

When Lockdown Mode is enabled, direct authentication to the ESXi host is disabled for all users (including root) to enhance security. Access is restricted to the vCenter Server and the Direct Console User Interface (DCUI).

Only users explicitly added to the Exception Users list are exempt from these restrictions and can retain direct access privileges.

To allow specific accounts (such as service accounts for third-party applications) to access the host while Lockdown Mode is enabled, you must add them to the Exception Users list.

1. Ensure the user account exists on the ESXi host.

   • To verify the list of local accounts, run the following command via SSH (before enabling Lockdown Mode) or DCUI shell: esxcli system account list

2. In the vSphere Client, navigate to the ESXi host Configure > System > Security Profile.

3. Under Lockdown Mode, click Edit.

4. Add the required account names to the Exception Users list.

   • Note: If using a domain account, include the domain (e.g., Domain\user).

5. The changes take effect immediately.

Configuring and Managing Lockdown Mode on ESXi Hosts

• Exception users are typically service accounts required by third-party solutions that need OS-level access to the ESXi host.

• Enabling Lockdown Mode or adding Exception Users does not affect the running state of virtual machines.