Security Audit – Set and validate lock down mode for multiple hosts

It seems like the audit community have understood lockdown mode and are typically requesting that it is applied

By enabling lockdown mode, no users other than vpxuser have authentication permissions, nor can they perform operations against the host directly. Lockdown mode forces all operations to be performed through vCenter Server.

Though be warned if you use external software or management tools that connect directly to esxi, they might not be able to retrieve or modify information from the host! 


For a single host to enable lockdown

(get-vmhost <hostname> | get-view).EnterLockdownMode() | get-vmhost | select Name,@{N=”LockDown”;E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name LockDown

To disable Lockdown mode, run this command:

(get-vmhost <hostname> | get-view).ExitLockdownMode()


For mutiple host save the following in a .PS1 file and run with PowerCLI:

$Scope = Get-VMHost #This will change the Lockdown Mode on all hosts managed by vCenter

foreach ($ESXhost in $Scope) {

# Uncomment to option
# To ENABLE Lockdown Mode
#(get-vmhost $ESXhost | get-view).EnterLockdownMode()
# To DISABLE Lockdown Mode
#(get-vmhost $ESXhost | get-view).ExitLockdownMode()

Verify lockdown is applied to the hosts

Get-cluster <cluster>| Get-VMhost | Select Name,@{N=”Lockdown”;E={$_.Extensiondata.Config.adminDisabled}} | fl

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.