When Lockdown Mode is enabled, the host is managed using the vSphere Client connected to the managing vCenter Server, VMware PowerCLI, or VMware vSphere Command-Line Interface (vCLI). The only difference is that access is authenticated through the vCenter Server, instead of by using a local account on the ESXi host. While Lockdown Mode is enabled, access to the host through SSH is unavailable, except for configured exception users.
There are three Lockdown Mode that can be configured for an ESXi host:
- Disabled: Lockdown Mode is disabled. The host can be accessed normally.
- Normal: Lockdown Mode is enabled and the host can only be accessed through vCenter or the local console.
- Strict: Lockdown Mode is enabled and the local console is disabled.
When Lockdown Mode is enabled on a host, attempts to access the host directly will result in an error, unless the user is an exception user. The following screenshot shows an attempt to access a host in Lockdown Mode using the vSphere Client:

Exception users can continue to access a host in Lockdown Mode. Exception users can be used for emergency troubleshooting or for third-party applications that require direct access to a host.