Information
The Direct Console User Interface (DCUI) allows for low-level host configuration such as configuring IP address, hostname, and root password as well as diagnostic
capabilities such as enabling the ESXi shell, viewing log files, restarting agents, and resetting configurations.
The DCUI can be disabled to prevent any local administration from the host. Once the DCUI is disabled,
any administration of the ESXi host must be done through vCenter.
*Rationale*
Actions performed from the DCUI are not tracked by vCenter Server. Even if Lockdown Mode is enabled, users who are
members of the DCUI.Access list can perform administrative tasks in the DCUI, bypassing role-based access control and
auditing controls provided through vCenter. Disabling DCUI prevents all local activity, and thus forces actions to be
performed in vCenter Server, where they can be centrally audited and monitored.
Solution
To disable DCUI, perform the following:
1. From the vSphere web client, select the host.
2. Select "Configure" -> "System" -> "Security Profile".
3. Scroll down to "Services".
4. Click "Edit...".
5. Select "Direct Console UI".
6. Click "Stop".
7. Change the Startup Policy to "Start and Stop Manually". 8. Click "OK".
Alternately, use the following PowerCLI command:
# Set DCUI to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq "DCUI" } | Set-
VMHostService -Policy Off