diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh
index c5921ffffe0..cef4b85d906 100644
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@@ -128,6 +128,19 @@ install-salt() {
   )
   URL_BASE="https://storage.googleapis.com/kubernetes-release/salt"
 
+  # Based on
+  # https://major.io/2014/06/26/install-debian-packages-without-starting-daemons/
+  # We do this to prevent Salt from starting the salt-minion
+  # daemon. The other packages don't have relevant daemons. (If you
+  # add a package that needs a daemon started, add it to a different
+  # list.)
+  cat > /usr/sbin/policy-rc.d <<EOF
+#!/bin/sh
+echo "Salt shall not start." >&2
+exit 101
+EOF
+  chmod 0755 /usr/sbin/policy-rc.d
+
   for tar in "${TARS[@]}"; do
     download-or-bust "${URL_BASE}/${tar}"
     dpkg -i "${tar}" || true
@@ -135,19 +148,19 @@ install-salt() {
 
   # This will install any of the unmet dependencies from above.
   apt-get install -f -y
+
+  rm /usr/sbin/policy-rc.d
 }
 
-# Ensure salt-minion *isn't* running
+# Ensure salt-minion never runs
 stop-salt-minion() {
   # This ensures it on next reboot
   echo manual > /etc/init/salt-minion.override
 
-  service salt-minion stop
-  while service salt-minion status >/dev/null; do
-    service salt-minion stop # No, really.
-    echo "Waiting for salt-minion to shut down"
-    sleep 1
-  done
+  if service salt-minion status >/dev/null; then
+    echo "salt-minion started in defiance of runlevel policy, aborting startup." >&2
+    return 1
+  fi
 }
 
 # Mounts a persistent disk (formatting if needed) to store the persistent data