Lockdown mode can disable all direct root access to ESXi machines.

To make changes to ESXi systems in lockdown mode you must go through a vCenter Server system that manages the ESXi system. You can use the vSphere Web Client or vCLI commands that support the --vihost option. The following commands cannot run against vCenter Server systems and are therefore not available in lockdown mode.

If you have problems running a command on an ESXi host directly, without specifying a vCenter Server target, check whether lockdown mode is enabled on that host. See the vSphere Security documentation.