diff --git a/install/installer/BUILD.yaml b/install/installer/BUILD.yaml
index 9a9aa2c077c14a..bd787db767d6b3 100644
--- a/install/installer/BUILD.yaml
+++ b/install/installer/BUILD.yaml
@@ -60,6 +60,7 @@ packages:
       - "scripts/*.sh"
     deps:
       - :app
+      - dev/gpctl:app
     argdeps:
       - imageRepoBase
     config:
diff --git a/install/installer/leeway.Dockerfile b/install/installer/leeway.Dockerfile
index b52d54050237fb..dd8a3a69000c01 100644
--- a/install/installer/leeway.Dockerfile
+++ b/install/installer/leeway.Dockerfile
@@ -8,6 +8,7 @@ RUN apk add --no-cache bash curl jq openssh-keygen yq  \
     && curl -L "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl \
     && chmod +x /usr/local/bin/kubectl
 COPY install-installer--app/installer install-installer--app/provenance-bundle.jsonl /app/
+COPY dev-gpctl--app/gpctl /app/
 COPY scripts/*.sh /app/scripts/
 ENTRYPOINT [ "/app/installer" ]
 CMD [ "help" ]
diff --git a/install/installer/scripts/kots-install.sh b/install/installer/scripts/kots-install.sh
index f968bc81b3d1d6..be664bf76e5f04 100755
--- a/install/installer/scripts/kots-install.sh
+++ b/install/installer/scripts/kots-install.sh
@@ -30,6 +30,28 @@ catch() {
     exit "${1}"
 }
 
+stop_running_workspaces() {
+    echo "Gitpod: shut down any running workspaces/image-builders"
+
+    # Create a context for gpctl
+    kubectl config set-context "${NAMESPACE}"
+    kubectl config use-context "${NAMESPACE}"
+    # gpctl doesn't have a namespace flag
+    kubectl config set-context --current --namespace="${NAMESPACE}"
+
+    # Get list of workspace instances from gpctl
+    for instance in $(/app/gpctl workspaces list -o json | jq -r 'select(. != null) | .[] | .Instance'); do
+        echo "Gitpod: shutting down workspace ${instance}"
+        /app/gpctl workspaces stop "${instance}" || eval "$(echo "Gitpod: retrying shutting down workspace" && \
+            sleep 10 && \
+            /app/gpctl workspaces stop "${instance}")"
+    done
+
+    # Delete the context
+    kubectl config unset "contexts.${NAMESPACE}"
+    kubectl config unset current-context
+}
+
 main() {
     if [ "${INSTALLER_DRY_RUN}" != "true" ]; then
         echo "Gitpod: Killing any in-progress installations"
@@ -156,6 +178,8 @@ EOF
         HELM_TIMEOUT="1h"
     fi
 
+    stop_running_workspaces
+
     # The long timeout is to ensure the TLS cert is created (if required)
     echo "Gitpod: Apply the Kubernetes objects with timeout of ${HELM_TIMEOUT}"
     helm upgrade \
diff --git a/install/kots/manifests/gitpod-installation-status.yaml b/install/kots/manifests/gitpod-installation-status.yaml
index 9786ad290d1347..642bcbbe617bfd 100644
--- a/install/kots/manifests/gitpod-installation-status.yaml
+++ b/install/kots/manifests/gitpod-installation-status.yaml
@@ -30,7 +30,7 @@ spec:
       containers:
         - name: installation-status
           # This will normally be the release tag
-          image: "eu.gcr.io/gitpod-core-dev/build/installer:tar-installer-env-refactor.2"
+          image: "eu.gcr.io/gitpod-core-dev/build/installer:sje-installer-kill-workspaces.14"
           envFrom:
             - configMapRef:
                 name: gitpod-kots-config
diff --git a/install/kots/manifests/gitpod-installer-job.yaml b/install/kots/manifests/gitpod-installer-job.yaml
index 64ae296e260973..ae0ab86c082b3c 100644
--- a/install/kots/manifests/gitpod-installer-job.yaml
+++ b/install/kots/manifests/gitpod-installer-job.yaml
@@ -39,7 +39,7 @@ spec:
       containers:
         - name: installer
           # This will normally be the release tag
-          image: "eu.gcr.io/gitpod-core-dev/build/installer:tar-installer-env-refactor.2"
+          image: "eu.gcr.io/gitpod-core-dev/build/installer:sje-installer-kill-workspaces.14"
           volumeMounts:
             - mountPath: /mnt/node0
               name: node-fs0
diff --git a/install/kots/manifests/kots-preflight.yaml b/install/kots/manifests/kots-preflight.yaml
index 8b18879bc83893..a41211c5107006 100644
--- a/install/kots/manifests/kots-preflight.yaml
+++ b/install/kots/manifests/kots-preflight.yaml
@@ -13,6 +13,9 @@ spec:
         namespace: '{{repl Namespace }}'
         podSpec:
           containers: []
+    - clusterResources:
+        namespaces:
+          - '{{repl Namespace }}'
     - run:
         collectorName: database
         image: eu.gcr.io/gitpod-core-dev/build/kots-config-check/database:sje-kots-config-check.9
@@ -429,3 +432,14 @@ spec:
               message: Registry is accessible
           - fail:
               message: Registry is inaccessible. Please check your network and firewall settings
+    - textAnalyze:
+        checkName: Check running workspaces
+        fileName: cluster-resources/pods/{{repl Namespace }}.json
+        regex: '"component": "workspace"'
+        outcomes:
+          - pass:
+              when: "false"
+              message: No running workspaces. Any workspaces started during the deployment process will be stopped.
+          - fail:
+              when: "true"
+              message: There are running workspaces. These will be stopped during the deployment process.