When you enable lockdown mode, no users other than vpxuser have authentication permissions, nor can they perform operations against the host directly. Lockdown mode forces all operations to be performed through vCenter Server.

Lockdown mode is only available on ESXi hosts that have been added to vCenter Server.

Enable lockdown mode to require that all configuration changes go through vCenter Server.

• Log in to a vCenter Server system using the vSphere Client.
• Select the host in the inventory panel.
• Click the Configuration tab and click Security Profile.
• Click the Edit link next to lockdown mode.

The Lockdown Mode dialog box appears.

• Select Enable Lockdown Mode.
• Click OK.

Enable Lockdown Mode from the Direct Console User Interface

• Toggle the Configure Lockdown Mode setting.

Enabling or disabling the Lockdown mode using ESXi Shell
ESXi 4.1

• To check if Lockdown mode is enabled: ;vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
• To disable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit
• To enable Lockdown mode: vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter

Enabling Lockdown mode using PowerCLI

To enable Lockdown mode using PowerCLI, run this command:
(get-vmhost <hostname> | get-view).EnterLockdownMode() get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name LockDown

When a host is in lockdown mode, you cannot run vCLI commands from an administration server, from a script, or from vMA against the host. External software or management tools might not be able to retrieve or modify information from the ESXi host.

Note
The root user is still authorized to log in to the direct console user interface when lockdown mode is enabled.

Enabling or disabling lockdown mode affects which types of users are authorized to access host services, but it does not affect the availability of those services. In other words, if Local Tech Support Mode, Remote Tech Support Mode (SSH), or the Direct Console User Interface (DCUI) services are enabled, they will continue to run whether or not the host is in lockdown mode.
You can enable lockdown mode using the Add Host wizard to add an ESXi host to vCenter Server, using the vSphere Client to manage a host, or using the direct console user interface.

Lockdown mode simply removes any remote root-level access to the host through the vSphere Client. Lockdown mode will require all communications to use the vCenter Agent on the ESXi system. When managed by vCenter, the communication between the ESXi host and vCenter uses a special user, called vpxuser.

When Lockdown Mode is enabled on the host, all direct remote access to the host is blocked, including:

• Any vSphere API client, e.g. vSphere Client, vCLI, and PowerCLI
• Tech Support Mode – actually both local and remote TSM are blocked

Even if Tech Support Mode is enabled, Lockdown Mode effectively overrides this by preventing any connection from succeeding. The only way to manage the host remotely is through vCenter Server. The interaction between the host and vCenter Server occurs through a special-purpose account called "vpxuser"; all other ordinary user accounts, including root, can no longer connect remotely.
With Lockdown Mode enabled, the only direct access to the host that remains open is through the DCUI. This provides a way to perform limited administrative tasks outside of vCenter Server, such as restarting management agents and viewing log files. In addition, you can also turn off Lockdown Mode from within the DCUI.

• http://blogs.vmware.com/esxi/2010/09/the-new-lockdown-mode-in-esxi-41.html
• http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/com.vmware.vsphere.esxi_server_config.doc_41/esx_server_config/security_deployments_and_recommendations/
  c_esxi_lockdown_mode.html
• http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008077
• http://virtualizationreview.com/blogs/everyday-virtualization/2009/09/esxi-lockdown-mode.aspx