vSphere 6.5 – vCSA Update Root Password Expiry

This post is applicable to customers using VMware vCenter Server Appliance 6.5.


  1. You update your vCSA 6.5 instance to 6.5 U1a.
  2. After the update is completed successfully, the root Password Expiry Policy is enabled with 365 days, when it was previously disabled.
  3. This introduces operational risk to your environment where you could be locked out of the root account after a year has elapsed.

Update: As of 19 December 2017, this issue has been corrected in


  1. Login to the vCSA VAMI on Port 5480.
  2. Select the Administration object on the left and verify that the Password Expiration Settings policy is Enabled with a period of 365 days.
  3. Set the “Root Password Expires” to “No” and press Submit.
  4. Note: if you have an Information Security Policy that requires password expiry, then make sure the “Email for expiration warning” is configured with a monitored account.


I noticed this after I updated from vCSA 6.5 U1 to U1a. I also verified this behaviour updating from vCSA 6.5 GA to U1a. I have not had time to check if every vCSA 6.5 update behaves this way.

Published by


Chief Enterprise Architect and Strategist, 4xVCDX#133, NPX#8, DECM-EA.

2 thoughts on “vSphere 6.5 – vCSA Update Root Password Expiry”

  1. Hey there. Thank you for your post.

    FYI: I have seen this also with the 6.0 VCSA (various patch levels.) This appears to be a weird regression bug that VMware don’t seem to have closed.

Comments are closed.