diff --git a/divingbell/templates/bin/_apt.sh.tpl b/divingbell/templates/bin/_apt.sh.tpl
index a16ec42..5846349 100644
--- a/divingbell/templates/bin/_apt.sh.tpl
+++ b/divingbell/templates/bin/_apt.sh.tpl
@@ -115,6 +115,13 @@ dpkg --configure -a
 
 # Perform package installs
 set +x
+{{- if .Values.conf.apt.strict }}
+{{- range $all_apt_packages }}
+{{- $pkg_name := .name }}
+INSTALLED_THIS_TIME="$INSTALLED_THIS_TIME {{$pkg_name}} {{- if .version }}={{ .version }}{{ end }}"
+REQUESTED_PACKAGES="$REQUESTED_PACKAGES {{$pkg_name}}"
+{{- end }}
+{{- else }}
 {{- range $all_apt_packages }}
 {{- $pkg_name := .name }}
 if [[ "${CURRENT_PACKAGES[{{ .name | squote }}]+isset}" != "isset"{{- if .version }} || "${CURRENT_PACKAGES[{{ .name | squote }}]}" != {{ .version }}{{- end }} ]]; then
@@ -122,6 +129,7 @@ if [[ "${CURRENT_PACKAGES[{{ .name | squote }}]+isset}" != "isset"{{- if .versio
 fi
 REQUESTED_PACKAGES="$REQUESTED_PACKAGES {{$pkg_name}}"
 {{- end }}
+{{- end }}
 set -x
 # Run this in case some package installation was interrupted
 DEBIAN_FRONTEND=noninteractive apt-get install -y -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold {{- if .Values.conf.apt.allow_downgrade }} "--allow-downgrades" {{ end }}{{- if .repo }} -t {{ .repo }}{{ end }} $INSTALLED_THIS_TIME
@@ -144,7 +152,9 @@ fi
 ################################################
 
 {{- if .Values.conf.apt.strict }}
-APT_PURGE="apt-get purge -y --autoremove --allow-remove-essential"
+# For strict mode, we do not want to use --autoremove, to avoid
+# letting apt remove packages outside divingbell's control
+APT_PURGE="apt-get purge -y --allow-remove-essential"
 {{- else }}
 APT_PURGE="apt-get purge -y --autoremove"
 {{- end }}