diff --git a/services/core/java/com/android/server/PersistentDataBlockService.java b/services/core/java/com/android/server/PersistentDataBlockService.java
index b64363fce719b..51037dd2cbc6c 100644
--- a/services/core/java/com/android/server/PersistentDataBlockService.java
+++ b/services/core/java/com/android/server/PersistentDataBlockService.java
@@ -146,6 +146,15 @@ public class PersistentDataBlockService extends SystemService {
                     "Only the Admin user is allowed to change OEM unlock state");
         }
     }
+
+    private void enforceFactoryResetAllowed() {
+        final boolean isOemUnlockRestricted = UserManager.get(mContext)
+                .hasUserRestriction(UserManager.DISALLOW_FACTORY_RESET);
+        if (isOemUnlockRestricted) {
+            throw new SecurityException("OEM unlock is disallowed by DISALLOW_FACTORY_RESET");
+        }
+    }
+
     private int getTotalDataSizeLocked(DataInputStream inputStream) throws IOException {
         // skip over checksum
         inputStream.skipBytes(DIGEST_SIZE_BYTES);
@@ -452,7 +461,9 @@ public class PersistentDataBlockService extends SystemService {
                     Settings.Global.OEM_UNLOCK_DISALLOWED, 0) == 1) {
                 throw new SecurityException("OEM unlock has been disallowed.");
             }
-
+            if (enabled) {
+                enforceFactoryResetAllowed();
+            }
             synchronized (mLock) {
                 doSetOemUnlockEnabledLocked(enabled);
                 computeAndWriteDigestLocked();
diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
index 38a3f421264f8..414d16571870d 100644
--- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
+++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
@@ -33,6 +33,7 @@ import android.os.RemoteException;
 import android.os.SystemProperties;
 import android.os.UserHandle;
 import android.os.UserManager;
+import android.service.persistentdata.PersistentDataBlockManager;
 import android.telephony.SubscriptionInfo;
 import android.telephony.SubscriptionManager;
 import android.util.Log;
@@ -424,6 +425,14 @@ public class UserRestrictionsUtils {
                             android.provider.Settings.Global.SAFE_BOOT_DISALLOWED,
                             newValue ? 1 : 0);
                     break;
+                case UserManager.DISALLOW_FACTORY_RESET:
+                    if (newValue) {
+                        PersistentDataBlockManager manager = (PersistentDataBlockManager) context
+                                .getSystemService(Context.PERSISTENT_DATA_BLOCK_SERVICE);
+                        if (manager != null) {
+                            manager.setOemUnlockEnabled(false);
+                        }
+                    }
             }
         } finally {
             Binder.restoreCallingIdentity(id);