In vSphere 6.5 (and older versions), that’s a feature called ‘Lock-Downmode’. Lockdown Mode is just another way you can secure your ESXi hosts. However, I think there’s some confusion around the different modes, modes being Normal and Strict. Let’s go into what these do, what they’re behaviors will be.

To get to Lockdown Mode interface:

HTML 5 Client: Go to the host, right click, then Settings, Configure, Security Profile. Under Lockdown Mode select Edit.

What do these modes do and how are they different?

Normal – The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell is enabled, access might be possible.

Strict – The host can only be accessed through vCenter Server. If SSH or the ESXi Shell is enabled, running sessions for accounts in the DCUI.Access advanced option and for Exception User accounts that have administrator privileges remain enabled. All other sessions are terminated. Additionally, the Direct Console User Interface (DCUI) service is disabled.

In strict and normal lockdown mode, privileged users can access the host through vCenter Server, either from the vSphere Web Client or by using the vSphere Web Services SDK.

Exception Users List can be found just on the Lockdown Mode selection screen in the left hand side left column. The DCUI.Access variable can be found under Configure, Advanced System Settings. In the top click on the Edit button, filter  bar type DCUI, in the value field enter in one or more local users separated by commas.

What happens if the host is in Strict Lockdown mode, vCenter can’t be accessed, SSH & Shell is disabled and/or there are no users on the Exception User List or DCUI.Access list doesn’t have any valid accounts – meaning you don’t know who or what credentials to use?

As of ESXi 6.5 you must rebuild your host.

More information can be found from VMware Docs