5.2 Ensure the ESXi shell is disabled


The ESXi shell is an interactive command line environment available from the Direct Console User Interface (DCUI) or remotely via SSH. The ESXi shell should only be enabled on a host when running diagnostics or troubleshooting.


Activities performed from the ESXi shell bypass vCenter RBAC and audit controls, so the ESXi shell should only be enabled when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere web client or vCLI/PowerCLI.


To disable the ESXi shell, perform the following:

From the vSphere Web Client, select the host.

Select Configure then expand System and select Services.

Click on ESXi Shell then click Edit Startup Policy.

Set the Startup Policy is set to Start and Stop Manually.

Click on OK.

Alternately, use the following PowerCLI command:

# Set the ESXi shell to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq 'TSM' } | Set-VMHostService -Policy Off

See Also