diff --git a/src/applications/base/PhabricatorApplication.php b/src/applications/base/PhabricatorApplication.php
index 43f39cd500..fdded7fd25 100644
--- a/src/applications/base/PhabricatorApplication.php
+++ b/src/applications/base/PhabricatorApplication.php
@@ -454,6 +454,11 @@ abstract class PhabricatorApplication implements PhabricatorPolicyInterface {
       return null;
     }
 
+    $policy_locked = PhabricatorEnv::getEnvConfig('policy.locked');
+    if (isset($policy_locked[$capability])) {
+      return $policy_locked[$capability];
+    }
+
     return idx($policy, $capability);
   }
 
diff --git a/src/applications/meta/controller/PhabricatorApplicationEditController.php b/src/applications/meta/controller/PhabricatorApplicationEditController.php
index fa630d71ec..b29d33b7ce 100644
--- a/src/applications/meta/controller/PhabricatorApplicationEditController.php
+++ b/src/applications/meta/controller/PhabricatorApplicationEditController.php
@@ -115,11 +115,10 @@ final class PhabricatorApplicationEditController
       ->setUser($user);
 
     $locked_policies = PhabricatorEnv::getEnvConfig('policy.locked');
-    $locked_map = array_fill_keys($locked_policies, true);
     foreach ($application->getCapabilities() as $capability) {
       $label = $application->getCapabilityLabel($capability);
       $can_edit = $application->isCapabilityEditable($capability);
-      $locked = idx($locked_map, $capability);
+      $locked = idx($locked_policies, $capability);
       $caption = $application->getCapabilityCaption($capability);
 
       if (!$can_edit || $locked) {
@@ -132,7 +131,7 @@ final class PhabricatorApplicationEditController
         $form->appendChild(
           id(new AphrontFormPolicyControl())
           ->setUser($user)
-          ->setDisabled(idx($locked_map, $capability))
+          ->setDisabled($locked)
           ->setCapability($capability)
           ->setPolicyObject($application)
           ->setPolicies($policies)
diff --git a/src/applications/policy/config/PhabricatorPolicyConfigOptions.php b/src/applications/policy/config/PhabricatorPolicyConfigOptions.php
index 1f34822a32..9af77c525d 100644
--- a/src/applications/policy/config/PhabricatorPolicyConfigOptions.php
+++ b/src/applications/policy/config/PhabricatorPolicyConfigOptions.php
@@ -46,6 +46,7 @@ final class PhabricatorPolicyConfigOptions
             "available, and the most open policy is 'All Users' (which means ".
             "users must have accounts and be logged in to view things).")),
       $this->newOption('policy.locked', $policy_locked_type, array())
+        ->setLocked(true)
         ->setSummary(pht(
           'Lock specific application policies so they can not be edited.'))
         ->setDescription(pht(