Ive seen some folks run into issues with monitoring and upgrading from 6.5 to 6.7. Some monitoring software keeps track of root esxi passwords. The issue came about when adding in some 6.7 seed hosts, and the differing requirements for password complexity.
As you can imagine, the monitoring software starts attempting to log into the new seed hosts, but with the old passwords, then creating a root user lockout, which is visible from within vcenter as a warning notification.
Quick easy fix if you need root access, in between correcting or ascertaining what is locking out your host in your scenario is to select the host then
Configure > System > edit > In the filter type “security” > change the option Secure.AccountLockoutFailures from the default of 5 to 0 which will disable account locking. Dont forget to set it back though.