diff --git a/cassandra-schema.cql b/cassandra-schema.cql
index 3a6ff0c778..5c784c069a 100644
--- a/cassandra-schema.cql
+++ b/cassandra-schema.cql
@@ -1184,6 +1184,7 @@ CREATE TABLE galley_test.team_features (
     mls_e2eid_lock_status int,
     mls_e2eid_status int,
     mls_e2eid_ver_exp timestamp,
+    mls_lock_status int,
     mls_migration_finalise_regardless_after timestamp,
     mls_migration_lock_status int,
     mls_migration_start_time timestamp,
diff --git a/changelog.d/0-release-notes/WPB-5143 b/changelog.d/0-release-notes/WPB-5143
new file mode 100644
index 0000000000..61816853ac
--- /dev/null
+++ b/changelog.d/0-release-notes/WPB-5143
@@ -0,0 +1,14 @@
+The mls team feature now has a lock status. If the current installation has default settings defined in wire-server's `values.yaml`, the `lockStatus` has to be added, e.g.:
+
+```yaml
+mls:
+  defaults:
+    status: enabled
+    config:
+      protocolToggleUsers: []
+      defaultProtocol: mls
+      allowedCipherSuites: [1]
+      defaultCipherSuite: 1
+      supportedProtocols: [proteus, mls] # must contain defaultProtocol
+    lockStatus: locked
+```
diff --git a/changelog.d/2-features/WPB-5143 b/changelog.d/2-features/WPB-5143
new file mode 100644
index 0000000000..3d7fc2cdfe
--- /dev/null
+++ b/changelog.d/2-features/WPB-5143
@@ -0,0 +1 @@
+The mls team feature now has a lock status
diff --git a/charts/galley/values.yaml b/charts/galley/values.yaml
index 8bd2d28c37..daeecc78db 100644
--- a/charts/galley/values.yaml
+++ b/charts/galley/values.yaml
@@ -41,10 +41,10 @@ config:
     conversationCodeURI: null
     #
     # `multiIngress` is a `Z-Host` depended setting of conversationCodeURI.
-    # Use this only if you want to expose the instance on mutliple ingresses.
+    # Use this only if you want to expose the instance on multiple ingresses.
     # If set it must a map from `Z-Host` to URI prefix
     # Example:
-    # multiIngress: 
+    # multiIngress:
     #    example.com: https://accounts.example.com/conversation-join/
     #    example.net: https://accounts.example.net/conversation-join/
     multiIngress: null
@@ -83,6 +83,7 @@ config:
             allowedCipherSuites: [1]
             defaultCipherSuite: 1
             supportedProtocols: [proteus, mls] # must contain defaultProtocol
+          lockStatus: unlocked
       searchVisibilityInbound:
         defaults:
           status: disabled
diff --git a/docs/src/developer/reference/config-options.md b/docs/src/developer/reference/config-options.md
index d92d461479..fd8e6034ad 100644
--- a/docs/src/developer/reference/config-options.md
+++ b/docs/src/developer/reference/config-options.md
@@ -299,17 +299,18 @@ If this feature is disabled then clients will use the Proteus protocol with this
 
 The default configuration that applies to all teams that didn't explicitly change their feature configuration can be given in galley's `featureFlags` section in the config file:
 
-```
+```yaml
 # galley.yaml
 mls:
   defaults:
-    status: disabled
+    status: enabled
     config:
       protocolToggleUsers: []
-      defaultProtocol: proteus
+      defaultProtocol: mls
       allowedCipherSuites: [1]
       defaultCipherSuite: 1
-
+      supportedProtocols: [proteus, mls] # must contain defaultProtocol
+    lockStatus: locked
 ```
 
 This default configuration can be overriden on a per-team basis through the [feature config API](../developer/features.md)
@@ -748,7 +749,7 @@ to the configuration example above:
 
 ![Sequence Diagram: Alice and Bob download an asset](./multi-ingress-example-sequence.svg)
 
-<!-- 
+<!--
 Unfortunately, kroki currently doesn't work on our CI: SQPIT-1810
 Link to diagram:
 https://mermaid.live/edit#pako:eNrdVbFu2zAQ_ZUDJ7ewDdhtUkBDgBRB0CHIYCNL4eVEnmWiMk8lKbttkH8vJbsW5dCOUXSqBkHiPT6-e3yinoVkRSITEC5H32syku40FhbXCwP7C6VnC1hqSQNL6l1XeWRPwBuKqxk8OXKwpRyrahxGxvQD11VJY8mvSHPOB4UlMknSrtonbcfStBVar6Wu0HjQJgCdGwUNKfaonMGMax8WeH9acIq5FXKOuwVE7BcqN4U2v9IlibbgFZcqXZ5_ABeMxYK6uiXpwRb5YHp1NYTJ9FN7ixw3jW6ri5UHXva28rZ5BsVbUzIqB-gc-WgTD9DRzU3Pz7v9FChZYnk8L4KGiW23Gdyz3aJVQW7IoYvQbT3gDq2_wsIIbpWCr6MvHF5WhIpsL2p6g6HFhHePvdajFR6Yv0Fd7ZTDquF9mj3AMoR2t0zHcZg1CiJj92akdGP-OLBJ9JpDFOa73YGNxnRAFZ3Te9rxey5L3gZHdmueMrsLyBnHDwpScerGQr_9dn1tzfFeR_2k2MioRFIn15MhTD82Sb0-ndT4fPjM-emcdsDItf23eVlSW_D_ltXYv0uzenTknU_rOd_fzOsfy_9xYvtN_21ixVCsya5Rq_D3fG6KC-FXtKaFyMKjoiXWpV-IhXkJUKw9z38aKTJvaxqKulKBff-jFdkSS0cvvwHKl250
@@ -761,21 +762,21 @@ For conversation invite links to be correct in a multi-ingress setup `settings.m
 Example:
 
 ```yaml
-multiIngress: 
+multiIngress:
    red.example.com: https://accounts.red.example.com/conversation-join/
    green.example.com: https://accounts.green.example.net/conversation-join/
 ```
 
 ### Webapp
 
-The webapp runs its own web server (a NodeJS server) to serve static files and the webapp config (based on environment variables). 
-In a multi-ingress configuration, a single webapp instance will be deployed and be accessible from multiple domains (say `webapp.red.example.com` and `webapp.green.example.com`). 
-When the webapp is loaded from one of those domains it first does a request to the web server to get the config (that will give it, for example, the backend endpoint that it should hit). 
+The webapp runs its own web server (a NodeJS server) to serve static files and the webapp config (based on environment variables).
+In a multi-ingress configuration, a single webapp instance will be deployed and be accessible from multiple domains (say `webapp.red.example.com` and `webapp.green.example.com`).
+When the webapp is loaded from one of those domains it first does a request to the web server to get the config (that will give it, for example, the backend endpoint that it should hit).
 
-Because of the single instance nature of the webapp, by default the configuration is static and the root url to the backend API can be set there (say `nginz-https.root.example.com`). 
+Because of the single instance nature of the webapp, by default the configuration is static and the root url to the backend API can be set there (say `nginz-https.root.example.com`).
 In order to completely hide this root domain to the webapp, an environment variable can be set to allow the webapp hostname to be used to generate the API endpoint, team settings links, account page links and CSP headers.
 
-The "hostname" is the result of the domain name minus the `webapp.` part of it. 
+The "hostname" is the result of the domain name minus the `webapp.` part of it.
 So querying the webapp on `webapp.red.example.com` will resolve to `red.example.com`.
 
 To enable dynamic hostname replacement, first set this variable:
@@ -784,7 +785,7 @@ To enable dynamic hostname replacement, first set this variable:
 ENABLE_DYNAMIC_HOSTNAME="true"
 ```
 
-Then, any other variable that will contain the string `[[hostname]]` will be replaced by the hostname of the running webapp. (eg. if a webapp is running on `webapp.red.example.com` then any occurrence of `[[hostname]]` in the config will be replaced by `red.example.com`). 
+Then, any other variable that will contain the string `[[hostname]]` will be replaced by the hostname of the running webapp. (eg. if a webapp is running on `webapp.red.example.com` then any occurrence of `[[hostname]]` in the config will be replaced by `red.example.com`).
 
 You may use the template variable `[[hostname]]` in any environment variable to not provide (reveal) actual domain names.
 
diff --git a/libs/galley-types/src/Galley/Types/Teams.hs b/libs/galley-types/src/Galley/Types/Teams.hs
index f61fa76444..e77b04951b 100644
--- a/libs/galley-types/src/Galley/Types/Teams.hs
+++ b/libs/galley-types/src/Galley/Types/Teams.hs
@@ -162,7 +162,7 @@ data FeatureFlags = FeatureFlags
     _flagsTeamFeatureValidateSAMLEmailsStatus :: !(Defaults (ImplicitLockStatus ValidateSAMLEmailsConfig)),
     _flagTeamFeatureSndFactorPasswordChallengeStatus :: !(Defaults (WithStatus SndFactorPasswordChallengeConfig)),
     _flagTeamFeatureSearchVisibilityInbound :: !(Defaults (ImplicitLockStatus SearchVisibilityInboundConfig)),
-    _flagMLS :: !(Defaults (ImplicitLockStatus MLSConfig)),
+    _flagMLS :: !(Defaults (WithStatus MLSConfig)),
     _flagOutlookCalIntegration :: !(Defaults (WithStatus OutlookCalIntegrationConfig)),
     _flagMlsE2EId :: !(Defaults (WithStatus MlsE2EIdConfig)),
     _flagMlsMigration :: !(Defaults (WithStatus MlsMigrationConfig))
@@ -214,7 +214,7 @@ instance FromJSON FeatureFlags where
       <*> withImplicitLockStatusOrDefault obj "validateSAMLEmails"
       <*> (fromMaybe (Defaults (defFeatureStatus @SndFactorPasswordChallengeConfig)) <$> (obj .:? "sndFactorPasswordChallenge"))
       <*> withImplicitLockStatusOrDefault obj "searchVisibilityInbound"
-      <*> withImplicitLockStatusOrDefault obj "mls"
+      <*> (fromMaybe (Defaults (defFeatureStatus @MLSConfig)) <$> (obj .:? "mls"))
       <*> (fromMaybe (Defaults (defFeatureStatus @OutlookCalIntegrationConfig)) <$> (obj .:? "outlookCalIntegration"))
       <*> (fromMaybe (Defaults (defFeatureStatus @MlsE2EIdConfig)) <$> (obj .:? "mlsE2EId"))
       <*> (fromMaybe (Defaults (defFeatureStatus @MlsMigrationConfig)) <$> (obj .:? "mlsMigration"))
diff --git a/libs/galley-types/test/unit/Test/Galley/Types.hs b/libs/galley-types/test/unit/Test/Galley/Types.hs
index e4922fa5ef..dc58b44845 100644
--- a/libs/galley-types/test/unit/Test/Galley/Types.hs
+++ b/libs/galley-types/test/unit/Test/Galley/Types.hs
@@ -95,7 +95,7 @@ instance Arbitrary FeatureFlags where
       <*> fmap (fmap unlocked) arbitrary
       <*> arbitrary
       <*> fmap (fmap unlocked) arbitrary
-      <*> fmap (fmap unlocked) arbitrary
+      <*> arbitrary
       <*> arbitrary
       <*> arbitrary
       <*> arbitrary
diff --git a/libs/wire-api/src/Wire/API/Routes/Internal/Galley.hs b/libs/wire-api/src/Wire/API/Routes/Internal/Galley.hs
index 0189df23a3..3dd5a9ace0 100644
--- a/libs/wire-api/src/Wire/API/Routes/Internal/Galley.hs
+++ b/libs/wire-api/src/Wire/API/Routes/Internal/Galley.hs
@@ -136,6 +136,7 @@ type IFeatureAPI =
     :<|> IFeatureStatusGet MLSConfig
     :<|> IFeatureStatusPut '[] '() MLSConfig
     :<|> IFeatureStatusPatch '[] '() MLSConfig
+    :<|> IFeatureStatusLockStatusPut MLSConfig
     -- ExposeInvitationURLsToTeamAdminConfig
     :<|> IFeatureStatusGet ExposeInvitationURLsToTeamAdminConfig
     :<|> IFeatureStatusPut '[] '() ExposeInvitationURLsToTeamAdminConfig
diff --git a/services/galley/galley.cabal b/services/galley/galley.cabal
index 07c708b6a7..233d2970b7 100644
--- a/services/galley/galley.cabal
+++ b/services/galley/galley.cabal
@@ -273,6 +273,7 @@ library
     Galley.Schema.V86_TeamFeatureMlsMigration
     Galley.Schema.V87_TeamFeatureSupportedProtocols
     Galley.Schema.V88_RemoveMemberClientAndTruncateMLSGroupMemberClient
+    Galley.Schema.V89_MlsLockStatus
     Galley.Types.Clients
     Galley.Types.ToUserRole
     Galley.Types.UserList
diff --git a/services/galley/src/Galley/API/Internal.hs b/services/galley/src/Galley/API/Internal.hs
index 97d62a76c6..2ec8b797ca 100644
--- a/services/galley/src/Galley/API/Internal.hs
+++ b/services/galley/src/Galley/API/Internal.hs
@@ -206,6 +206,7 @@ featureAPI =
     <@> mkNamedAPI @'("iget", MLSConfig) (getFeatureStatus DontDoAuth)
     <@> mkNamedAPI @'("iput", MLSConfig) setFeatureStatusInternal
     <@> mkNamedAPI @'("ipatch", MLSConfig) patchFeatureStatusInternal
+    <@> mkNamedAPI @'("ilock", MLSConfig) (updateLockStatus @MLSConfig)
     <@> mkNamedAPI @'("iget", ExposeInvitationURLsToTeamAdminConfig) (getFeatureStatus DontDoAuth)
     <@> mkNamedAPI @'("iput", ExposeInvitationURLsToTeamAdminConfig) setFeatureStatusInternal
     <@> mkNamedAPI @'("ipatch", ExposeInvitationURLsToTeamAdminConfig) patchFeatureStatusInternal
diff --git a/services/galley/src/Galley/API/Teams/Features.hs b/services/galley/src/Galley/API/Teams/Features.hs
index 1736b887bc..546365d456 100644
--- a/services/galley/src/Galley/API/Teams/Features.hs
+++ b/services/galley/src/Galley/API/Teams/Features.hs
@@ -92,10 +92,13 @@ patchFeatureStatusInternal ::
   WithStatusPatch cfg ->
   Sem r (WithStatus cfg)
 patchFeatureStatusInternal tid patch = do
+  assertTeamExists tid
   currentFeatureStatus <- getFeatureStatus @cfg DontDoAuth tid
   let newFeatureStatus = applyPatch currentFeatureStatus
+  -- setting the config can fail, so we need to do it first
+  void $ setConfigForTeam @cfg tid (forgetLock newFeatureStatus)
   when (isJust $ wspLockStatus patch) $ void $ updateLockStatus @cfg tid (wsLockStatus newFeatureStatus)
-  setConfigForTeam @cfg tid (forgetLock newFeatureStatus)
+  getFeatureStatus @cfg DontDoAuth tid
   where
     applyPatch :: WithStatus cfg -> WithStatus cfg
     applyPatch current =
diff --git a/services/galley/src/Galley/API/Teams/Features/Get.hs b/services/galley/src/Galley/API/Teams/Features/Get.hs
index 006fbde97d..1bdecdd78b 100644
--- a/services/galley/src/Galley/API/Teams/Features/Get.hs
+++ b/services/galley/src/Galley/API/Teams/Features/Get.hs
@@ -455,7 +455,7 @@ instance GetFeatureConfig SearchVisibilityInboundConfig where
 
 instance GetFeatureConfig MLSConfig where
   getConfigForServer =
-    input <&> view (settings . featureFlags . flagMLS . unDefaults . unImplicitLockStatus)
+    input <&> view (settings . featureFlags . flagMLS . unDefaults)
 
 instance GetFeatureConfig ExposeInvitationURLsToTeamAdminConfig where
   getConfigForTeam tid = do
diff --git a/services/galley/src/Galley/App.hs b/services/galley/src/Galley/App.hs
index 9978c77ec0..e505488146 100644
--- a/services/galley/src/Galley/App.hs
+++ b/services/galley/src/Galley/App.hs
@@ -145,7 +145,7 @@ validateOptions o = do
     (Nothing, Just _) -> error "RabbitMQ config is specified and federator is not, please specify both or none"
     (Just _, Nothing) -> error "Federator is specified and RabbitMQ config is not, please specify both or none"
     _ -> pure ()
-  let mlsFlag = settings' ^. featureFlags . Teams.flagMLS . Teams.unDefaults . Teams.unImplicitLockStatus
+  let mlsFlag = settings' ^. featureFlags . Teams.flagMLS . Teams.unDefaults
       mlsConfig = wsConfig mlsFlag
       migrationStatus = wsStatus $ settings' ^. featureFlags . Teams.flagMlsMigration . Teams.unDefaults
   when (migrationStatus == FeatureStatusEnabled && ProtocolMLSTag `notElem` mlsSupportedProtocols mlsConfig) $
diff --git a/services/galley/src/Galley/Cassandra/TeamFeatures.hs b/services/galley/src/Galley/Cassandra/TeamFeatures.hs
index 85451bc46d..d9db6f3389 100644
--- a/services/galley/src/Galley/Cassandra/TeamFeatures.hs
+++ b/services/galley/src/Galley/Cassandra/TeamFeatures.hs
@@ -255,6 +255,7 @@ getFeatureLockStatus FeatureSingletonSndFactorPasswordChallengeConfig tid = getL
 getFeatureLockStatus FeatureSingletonMlsE2EIdConfig tid = getLockStatusC "mls_e2eid_lock_status" tid
 getFeatureLockStatus FeatureSingletonMlsMigration tid = getLockStatusC "mls_migration_lock_status" tid
 getFeatureLockStatus FeatureSingletonOutlookCalIntegrationConfig tid = getLockStatusC "outlook_cal_integration_lock_status" tid
+getFeatureLockStatus FeatureSingletonMLSConfig tid = getLockStatusC "mls_lock_status" tid
 getFeatureLockStatus _ _ = pure Nothing
 
 setFeatureLockStatus :: MonadClient m => FeatureSingleton cfg -> TeamId -> LockStatus -> m ()
@@ -265,6 +266,7 @@ setFeatureLockStatus FeatureSingletonSndFactorPasswordChallengeConfig tid status
 setFeatureLockStatus FeatureSingletonMlsE2EIdConfig tid status = setLockStatusC "mls_e2eid_lock_status" tid status
 setFeatureLockStatus FeatureSingletonMlsMigration tid status = setLockStatusC "mls_migration_lock_status" tid status
 setFeatureLockStatus FeatureSingletonOutlookCalIntegrationConfig tid status = setLockStatusC "outlook_cal_integration_lock_status" tid status
+setFeatureLockStatus FeatureSingletonMLSConfig tid status = setLockStatusC "mls_lock_status" tid status
 setFeatureLockStatus _ _tid _status = pure ()
 
 getTrivialConfigC ::
diff --git a/services/galley/src/Galley/Schema/Run.hs b/services/galley/src/Galley/Schema/Run.hs
index 9f5c68d74c..5291020674 100644
--- a/services/galley/src/Galley/Schema/Run.hs
+++ b/services/galley/src/Galley/Schema/Run.hs
@@ -88,6 +88,7 @@ import Galley.Schema.V85_MLSDraft17 qualified as V85_MLSDraft17
 import Galley.Schema.V86_TeamFeatureMlsMigration qualified as V86_TeamFeatureMlsMigration
 import Galley.Schema.V87_TeamFeatureSupportedProtocols qualified as V87_TeamFeatureSupportedProtocols
 import Galley.Schema.V88_RemoveMemberClientAndTruncateMLSGroupMemberClient qualified as V88_RemoveMemberClientAndTruncateMLSGroupMemberClient
+import Galley.Schema.V89_MlsLockStatus qualified as V89_MlsLockStatus
 import Imports
 import Options.Applicative
 import System.Logger.Extended qualified as Log
@@ -177,7 +178,8 @@ migrations =
     V85_MLSDraft17.migration,
     V86_TeamFeatureMlsMigration.migration,
     V87_TeamFeatureSupportedProtocols.migration,
-    V88_RemoveMemberClientAndTruncateMLSGroupMemberClient.migration
+    V88_RemoveMemberClientAndTruncateMLSGroupMemberClient.migration,
+    V89_MlsLockStatus.migration
     -- FUTUREWORK: once #1726 has made its way to master/production,
     -- the 'message' field in connections table can be dropped.
     -- See also https://github.com/wireapp/wire-server/pull/1747/files
diff --git a/services/galley/src/Galley/Schema/V89_MlsLockStatus.hs b/services/galley/src/Galley/Schema/V89_MlsLockStatus.hs
new file mode 100644
index 0000000000..26e42738b8
--- /dev/null
+++ b/services/galley/src/Galley/Schema/V89_MlsLockStatus.hs
@@ -0,0 +1,33 @@
+-- This file is part of the Wire Server implementation.
+--
+-- Copyright (C) 2023 Wire Swiss GmbH <opensource@wire.com>
+--
+-- This program is free software: you can redistribute it and/or modify it under
+-- the terms of the GNU Affero General Public License as published by the Free
+-- Software Foundation, either version 3 of the License, or (at your option) any
+-- later version.
+--
+-- This program is distributed in the hope that it will be useful, but WITHOUT
+-- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+-- details.
+--
+-- You should have received a copy of the GNU Affero General Public License along
+-- with this program. If not, see <https://www.gnu.org/licenses/>.
+module Galley.Schema.V89_MlsLockStatus
+  ( migration,
+  )
+where
+
+import Cassandra.Schema
+import Imports
+import Text.RawString.QQ
+
+migration :: Migration
+migration =
+  Migration 89 "Add lock status for MLSConfig" $
+    schema'
+      [r| ALTER TABLE team_features ADD (
+            mls_lock_status int
+        )
+     |]
diff --git a/services/galley/test/integration/API/Teams/Feature.hs b/services/galley/test/integration/API/Teams/Feature.hs
index 85e27e845f..dbfed7255e 100644
--- a/services/galley/test/integration/API/Teams/Feature.hs
+++ b/services/galley/test/integration/API/Teams/Feature.hs
@@ -130,8 +130,8 @@ tests s =
             testPatch IgnoreLockStatusChange FeatureStatusEnabled SearchVisibilityAvailableConfig,
           test s (unpack $ featureNameBS @MLSConfig) $
             testPatchWithCustomGen
-              IgnoreLockStatusChange
-              FeatureStatusEnabled
+              AssertLockStatusChange
+              FeatureStatusDisabled
               ( MLSConfig
                   []
                   ProtocolProteusTag
@@ -1278,6 +1278,10 @@ testMLS = do
       setForTeamInternal :: HasCallStack => WithStatusNoLock MLSConfig -> TestM ()
       setForTeamInternal = setForTeamInternalWithStatusCode expect2xx
 
+      setLockStatus :: HasCallStack => LockStatus -> TestM ()
+      setLockStatus lockStatus =
+        Util.setLockStatusInternal @MLSConfig galley tid lockStatus !!! statusCode === const 200
+
   let cipherSuite = MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519
       defaultConfig =
         WithStatusNoLock
@@ -1302,6 +1306,11 @@ testMLS = do
 
   getViaEndpoints defaultConfig
 
+  -- when the feature is locked it cannot be changed
+  setLockStatus LockStatusLocked
+  setForTeamWithStatusCode 409 config2
+  setLockStatus LockStatusUnlocked
+
   WS.bracketR cannon member $ \ws -> do
     setForTeam config2
     void . liftIO $
@@ -1309,6 +1318,11 @@ testMLS = do
         wsAssertFeatureConfigUpdate @MLSConfig config2 LockStatusUnlocked
   getViaEndpoints config2
 
+  -- when the feature is locked the default config is returned
+  setLockStatus LockStatusLocked
+  getViaEndpoints defaultConfig
+  setLockStatus LockStatusUnlocked
+
   WS.bracketR cannon member $ \ws -> do
     setForTeamWithStatusCode 400 invalidConfig
     void . liftIO $