When you connect ESXi to vCenter, to increase the host's security, you can put the ESXi host in lockdown mode. Lockdown mode restricts remote users from directly logging in to this host. It can be accessed only through local console or an authorized centralized management application. It is possible to modify lockdown mode configuration in the host settings, or from the Direct Console User Interface (DCUI).

In vSphere 6.7, lockdown mode has multiple settings and a user exception list. This allows users and solutions to be excluded from the lockdown mode settings. The following are the different configuration options:

• Disabled: Lockdown mode is disabled.
• Normal: DCUI is not blocked. Privileged user accounts can still log in to the ESXi host console and exit lockdown mode.
• Strict: DCUI is stopped and is only accessible through vCenter:

Strict mode dramatically reduces the manageability of the hosts, because CLI commands cannot be executed from an administration server or script. There is an option to access the ESXi server even under strict lockdown mode but only for users defined in exception users. Users in this list retain their original permissions allowing them to interact with the ESXi. Typically, user accounts used for integration purposes, third-party solutions, or external applications are included in the exception users.