vSphere 6.5 – vCSA Update Root Password Expiry

This post is applicable to customers using VMware vCenter Server Appliance 6.5.


  1. You update your vCSA 6.5 instance to 6.5 U1a.
  2. After the update is completed successfully, the root Password Expiry Policy is enabled with 365 days, when it was previously disabled.
  3. This introduces operational risk to your environment where you could be locked out of the root account after a year has elapsed.

Update: As of 19 December 2017, this issue has been corrected in


  1. Login to the vCSA VAMI on Port 5480.
  2. Select the Administration object on the left and verify that the Password Expiration Settings policy is Enabled with a period of 365 days.
  3. Set the “Root Password Expires” to “No” and press Submit.
  4. Note: if you have an Information Security Policy that requires password expiry, then make sure the “Email for expiration warning” is configured with a monitored account.


I noticed this after I updated from vCSA 6.5 U1 to U1a. I also verified this behaviour updating from vCSA 6.5 GA to U1a. I have not had time to check if every vCSA 6.5 update behaves this way.

2 Replies to “vSphere 6.5 – vCSA Update Root Password Expiry”

  1. Grant Palmer says:

    Hey there. Thank you for your post.

    FYI: I have seen this also with the 6.0 VCSA (various patch levels.) This appears to be a weird regression bug that VMware don’t seem to have closed.

  2. […] Source: vSphere 6.5 – vCSA Update Root Password Expiry […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Built with WordPress.com.
%d bloggers like this: