- A
Disable the DCUI service
Why wrong: Disabling the DCUI service is not possible; the DCUI is a built-in interface that cannot be disabled as a service. This option is incorrect.
- B
Enable lockdown mode
Enabling lockdown mode restricts access to the ESXi host's DCUI by requiring authentication through vCenter Server, preventing direct local or SSH logins. This is one of the correct actions.
- C
Add users to the DCUI exception list
Why wrong: Adding users to the DCUI exception list actually grants them access to the DCUI even when lockdown mode is enabled, contrary to restricting access. This option is incorrect.
- D
Remove the root user from the local password store
Why wrong: Removing the root user from the local password store does not restrict DCUI access; it may prevent root from logging in locally but does not affect DCUI specifically. This option is incorrect.
- E
Set DCUI access to 'Strict'
Setting DCUI access to 'Strict' disables the DCUI entirely for all users, including those in the exception list, except for the root user during initial setup. This is one of the correct actions.
How to Restrict Access to the ESXi Direct Console User Interface (DCUI)
This VCP-DCV practice question tests your understanding of vsphere security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Which two actions can be performed to restrict access to the ESXi host Direct Console User Interface (DCUI)? (Choose two.)
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Enable lockdown mode
Lockdown mode restricts access to the ESXi host's Direct Console User Interface (DCUI) by requiring authentication through vCenter Server and preventing direct local or SSH logins. Enabling lockdown mode (Option B) is a primary method to enforce this restriction, ensuring only authorized users via vCenter can manage the host. Setting DCUI access to 'Strict' (Option E) further tightens security by disabling the DCUI entirely for all users, including those in the exception list, except for root during initial setup.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Disable the DCUI service
Why it's wrong here
Disabling the DCUI service is not possible; the DCUI is a built-in interface that cannot be disabled as a service. This option is incorrect.
- ✓
Enable lockdown mode
Why this is correct
Enabling lockdown mode restricts access to the ESXi host's DCUI by requiring authentication through vCenter Server, preventing direct local or SSH logins. This is one of the correct actions.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Add users to the DCUI exception list
Why it's wrong here
Adding users to the DCUI exception list actually grants them access to the DCUI even when lockdown mode is enabled, contrary to restricting access. This option is incorrect.
- ✗
Remove the root user from the local password store
Why it's wrong here
Removing the root user from the local password store does not restrict DCUI access; it may prevent root from logging in locally but does not affect DCUI specifically. This option is incorrect.
- ✓
Set DCUI access to 'Strict'
Why this is correct
Setting DCUI access to 'Strict' disables the DCUI entirely for all users, including those in the exception list, except for the root user during initial setup. This is one of the correct actions.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse 'disabling the DCUI service' (which is not possible) with 'setting DCUI access to Strict' (which is a valid restriction), or they mistakenly think adding users to the exception list restricts access when it actually grants it.
Detailed technical explanation
How to think about this question
Lockdown mode operates by enforcing that all management operations must go through vCenter Server, using host profiles or direct configuration to apply the setting. When DCUI access is set to 'Strict', it overrides the exception list and disables the DCUI for all users, including those in the DCUI.Access list, except for root during initial configuration or recovery. This is controlled via the 'DCUI.Access' advanced system setting, which can be set to 'strict' to enforce complete restriction, while normal lockdown mode still allows exception users to access the DCUI.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A practitioner preparing for the VCP-DCV exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
vSphere Security — study guide chapter
Learn the concepts, then practise the questions
- →
vSphere Security practice questions
Targeted practice on this topic area only
- →
All VCP-DCV questions
521 questions across all exam domains
- →
VMware Certified Professional Data Center Virtualization VCP-DCV study guide
Full concept coverage aligned to exam objectives
- →
VCP-DCV practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related VCP-DCV practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
vSphere Architecture, Products and Solutions practice questions
Practise VCP-DCV questions linked to vSphere Architecture, Products and Solutions.
Configure and Manage vSphere Networking practice questions
Practise VCP-DCV questions linked to Configure and Manage vSphere Networking.
Configure and Manage vSphere Storage practice questions
Practise VCP-DCV questions linked to Configure and Manage vSphere Storage.
vSphere Lifecycle Management practice questions
Practise VCP-DCV questions linked to vSphere Lifecycle Management.
vSphere Security practice questions
Practise VCP-DCV questions linked to vSphere Security.
vSphere Performance and Scaling practice questions
Practise VCP-DCV questions linked to vSphere Performance and Scaling.
VCP-DCV fundamentals practice questions
Practise VCP-DCV questions linked to VCP-DCV fundamentals.
VCP-DCV scenario practice questions
Practise VCP-DCV questions linked to VCP-DCV scenario.
VCP-DCV troubleshooting practice questions
Practise VCP-DCV questions linked to VCP-DCV troubleshooting.
Practice this exam
Start a free VCP-DCV practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this VCP-DCV question test?
vSphere Security — This question tests vSphere Security — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Enable lockdown mode — Lockdown mode restricts access to the ESXi host's Direct Console User Interface (DCUI) by requiring authentication through vCenter Server and preventing direct local or SSH logins. Enabling lockdown mode (Option B) is a primary method to enforce this restriction, ensuring only authorized users via vCenter can manage the host. Setting DCUI access to 'Strict' (Option E) further tightens security by disabling the DCUI entirely for all users, including those in the exception list, except for root during initial setup.
What should I do if I get this VCP-DCV question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
3 more ways this is tested on VCP-DCV
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A vSphere administrator wants to restrict direct console access to an ESXi host to authorized administrators only, without interrupting running virtual machines. Which feature should the administrator enable?
easy- ✓ A.Lockdown mode
- B.Enable DRS
- C.Configure a host profile
- D.Disable SSH service
Why A: Option A is correct because lockdown mode restricts direct access to the ESXi host via DCUI and SSH, but allows access through vCenter Server while VMs continue to run. Option B (Enable DRS) is wrong because DRS is for load balancing, not security. Option C (Configure a host profile) is wrong because host profiles configure settings but do not enforce access restriction. Option D (Disable SSH service) is wrong because disabling SSH alone does not restrict DCUI.
Variation 2. An administrator wants to prevent direct root access to an ESXi host via SSH and the DCUI. Which two configurations are necessary?
easy- A.Set the host to lockdown mode with root exception.
- B.Disable DCUI and SSH services.
- C.Configure SSO to require Smart Card authentication.
- ✓ D.Enable lockdown mode and remove root from permissions.
Why D: Option D is correct. Enabling lockdown mode on an ESXi host disables direct root access via SSH and DCUI. Additionally, removing the root user from the permissions list ensures that root cannot be granted access through exception lists. Option A is wrong because setting lockdown mode with root exception would still allow root access under specific circumstances. Option B is wrong because disabling DCUI and SSH services does not prevent root access via other means (e.g., vCenter) and does not enforce persistent restriction. Option C is wrong because configuring SSO with Smart Card authentication does not affect local root access at the ESXi host level.
Variation 3. Which TWO of the following are valid methods to restrict access to the ESXi host's Direct Console User Interface (DCUI) to authorized administrators only?
medium- A.Disable SSH access on the host to prevent remote DCUI access.
- ✓ B.Enable lockdown mode and add only authorized administrators to the Exception Users list.
- C.Remove the root user from the DCUI local users list.
- ✓ D.Set the advanced option 'DCUI.Access' to a list of authorized users.
- E.Configure Active Directory integration and use group policy to disable DCUI.
Why B: Options B and D are correct. Enabling lockdown mode and adding only authorized administrators to the Exception Users list restricts DCUI access to those users. Setting the advanced option 'DCUI.Access' to a list of authorized users also restricts DCUI access. Option A is incorrect because disabling SSH does not affect DCUI access; DCUI is accessed directly from the console, not via SSH. Option C is incorrect because the root user cannot be removed from the DCUI local users list. Option E is incorrect because Active Directory integration does not restrict DCUI access.
Keep practising
More VCP-DCV practice questions
- A vSphere administrator is managing a cluster with vLCM and receives a notification that a new ESXi patch is available.…
- An administrator needs to apply a security patch to a vLCM-managed cluster. The patch is available as an ESXi image in t…
- An administrator sees the above JSON output from a vLCM compliance report. What should the administrator do to resolve t…
- An administrator is planning to migrate from legacy baselines to vLCM for a cluster. Which TWO statements are true about…
- A vSphere administrator is using vLCM and needs to ensure that all hosts are compliant with the desired image. Which TWO…
- Which TWO actions are recommended to secure the vCenter Server Appliance (VCSA)?
Last reviewed: Jul 4, 2026
This VCP-DCV practice question is part of Courseiva's free VMware certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the VCP-DCV exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.