diff --git a/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset b/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
index fd18bec8..ce2ae419 100644
--- a/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
+++ b/overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
@@ -1,3 +1,5 @@
 enable coreos-check-ssh-keys.service
 # Check if cgroupsv1 is still being used
 enable coreos-check-cgroups.service
+# Patch BLS grub_users setting
+enable coreos-fix-grub-users.service
diff --git a/overlay.d/15fcos/usr/lib/systemd/system/coreos-fix-grub-users.service b/overlay.d/15fcos/usr/lib/systemd/system/coreos-fix-grub-users.service
new file mode 100644
index 00000000..7e48301c
--- /dev/null
+++ b/overlay.d/15fcos/usr/lib/systemd/system/coreos-fix-grub-users.service
@@ -0,0 +1,20 @@
+# Remove after the next update barrier in all streams.
+
+[Unit]
+Description=Fix ostree grub_users Setting
+Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1333
+ConditionPathExists=!/var/lib/coreos/fix-grub-users.stamp
+# No GRUB on s390x.  ppc64le has petitboot, which ignores these GRUB
+# commands, but do the update there anyway for consistency.
+ConditionArchitecture=!s390x
+RequiresMountsFor=/var/lib/coreos
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/coreos-fix-grub-users
+RemainAfterExit=yes
+# We remount /boot read-write
+MountFlags=slave
+
+[Install]
+WantedBy=multi-user.target
diff --git a/overlay.d/15fcos/usr/libexec/coreos-fix-grub-users b/overlay.d/15fcos/usr/libexec/coreos-fix-grub-users
new file mode 100755
index 00000000..d35e17d0
--- /dev/null
+++ b/overlay.d/15fcos/usr/libexec/coreos-fix-grub-users
@@ -0,0 +1,57 @@
+#!/bin/bash
+#
+# Set ostree sysroot.bls-append-except-default on instances booted from
+# images that incorrectly shipped without it.
+
+set -euo pipefail
+
+STAMP=/var/lib/coreos/fix-grub-users.stamp
+
+aleph_ver=$(jq -r .build < /sysroot/.coreos-aleph-version.json)
+date=$(echo "$aleph_ver" | cut -f2 -d.)
+stream=$(echo "$aleph_ver" | cut -f3 -d.)
+
+if [ "$stream" = "3" ]; then
+    start=20220819
+    end=20221012
+else
+    start=20220901
+    end=20221029
+fi
+
+mkdir -p /var/lib/coreos
+
+if [ "$date" -lt "$start" ]; then
+    echo "Image is too old to be affected; exiting"
+    touch "$STAMP"
+    exit 0
+fi
+
+if [ "$date" -gt "$end" ]; then
+    echo "Image is too new to be affected; exiting"
+    touch "$STAMP"
+    exit 0
+fi
+
+if ostree config get sysroot.bls-append-except-default 2>/dev/null; then
+    # user-set value?
+    echo "sysroot.bls-append-except-default already has a value; exiting"
+    touch "$STAMP"
+    exit 0
+fi
+
+echo "Setting value of sysroot.bls-append-except-default"
+ostree config set sysroot.bls-append-except-default 'grub_users=""'
+
+echo "Fixing existing deployments"
+mount -o remount,rw /boot
+cd /boot/loader/entries
+# Ignore the default deployment, which is last when sorted numerically
+for f in $(ls -v ostree-*.conf | head -n -1); do
+    if ! grep -q "^grub_users " "$f"; then
+        echo "Fixing $f"
+        echo 'grub_users ""' >> "$f"
+    fi
+done
+
+touch "$STAMP"
diff --git a/tests/kola/butane/data/commonlib.sh b/tests/kola/butane/data/commonlib.sh
new file mode 120000
index 00000000..1742d51e
--- /dev/null
+++ b/tests/kola/butane/data/commonlib.sh
@@ -0,0 +1 @@
+../../data/commonlib.sh
\ No newline at end of file
diff --git a/tests/kola/butane/grub-users-fix b/tests/kola/butane/grub-users-fix
new file mode 100755
index 00000000..107c225c
--- /dev/null
+++ b/tests/kola/butane/grub-users-fix
@@ -0,0 +1,145 @@
+#!/bin/bash
+## kola:
+##  # The fixup only exists in FCOS
+##  distros: fcos
+##  # Service doesn't run on s390x because there's no GRUB
+##  architectures: "!s390x"
+##  # Running on multiple platforms won't prove anything further
+##  platforms: qemu
+#
+# Test coreos-fix-grub-users.service.
+
+set -xeuo pipefail
+
+. $KOLA_EXT_DATA/commonlib.sh
+
+STAMP=/var/lib/coreos/fix-grub-users.stamp
+
+fatal_ctx() {
+    fatal "$1 ($AUTOPKGTEST_REBOOT_MARK)"
+}
+
+check() {
+    logline="$1"; shift
+    if ! grep -q "zz-$AUTOPKGTEST_REBOOT_MARK-zz" /proc/cmdline; then
+        fatal_ctx "Did not boot into correct deployment"
+    fi
+    if grep -q "zz-$AUTOPKGTEST_REBOOT_MARK-zz" /boot/loader/entries/ostree-1-*.conf; then
+        fatal_ctx "Previous deployment contains new karg"
+    fi
+    if ! grep -q "zz-$AUTOPKGTEST_REBOOT_MARK-zz" /boot/loader/entries/ostree-2-*.conf; then
+        fatal_ctx "Current deployment does not contain new karg"
+    fi
+    if [ ! -e "$STAMP" ]; then
+        fatal_ctx "Service stamp was not created"
+    fi
+    if touch /boot/z 2>/dev/null; then
+        fatal_ctx "/boot is mounted read-write"
+    fi
+    if touch /sysroot/ostree/repo/z 2>/dev/null; then
+        fatal_ctx "/sysroot is mounted read-write"
+    fi
+    if ! journalctl -b 0 -u coreos-fix-grub-users.service | grep -q "$logline"; then
+        journalctl -b 0 -o cat -u coreos-fix-grub-users.service
+        fatal_ctx "Did not find '$logline' in service output"
+    fi
+}
+
+check_success() {
+    check "Setting value of"
+    if [ "$(ostree config get sysroot.bls-append-except-default)" != 'grub_users=""' ]; then
+        fatal_ctx "Did not find grub_users setting in ostree config"
+    fi
+    if ! grep -q "^grub_users" /boot/loader/entries/ostree-1-*.conf; then
+        fatal_ctx "Did not find grub_users directive in previous deployment"
+    fi
+    if grep -q "^grub_users" /boot/loader/entries/ostree-2-*.conf; then
+        fatal_ctx "Found grub_users directive in current deployment"
+    fi
+}
+
+configure() {
+    ver="$1"; shift
+    # delete previous deployment
+    rpm-ostree cleanup -pr
+    mount -o remount,rw /sysroot
+    ostree config unset sysroot.bls-append-except-default
+    sed '/"build"/s/.*/"build": "'$ver'",/' \
+        /sysroot/.coreos-aleph-version.json > /tmp/aleph-version
+    cat /tmp/aleph-version > /sysroot/.coreos-aleph-version.json
+    rm -f $STAMP
+}
+
+reboot() {
+    mark="$1"; shift
+    # ensure there's a previous deployment
+    rpm-ostree kargs --append "zz-$mark-zz"
+    ok "Rebooting into $mark"
+    /tmp/autopkgtest-reboot "$mark"
+}
+
+case "${AUTOPKGTEST_REBOOT_MARK:-}" in
+"")
+    # don't make assumptions about whether the fix has been applied in this
+    # image
+    configure 36.20220906.2.0
+    reboot testing-active-first
+    ;;
+testing-active-first)
+    check_success
+    reboot testing-duplicate
+    ;;
+testing-duplicate)
+    check "failed condition check"
+    configure 36.20221014.2.1
+    reboot testing-active-last
+    ;;
+testing-active-last)
+    check_success
+    configure 36.20220820.2.0
+    reboot testing-early
+    ;;
+testing-early)
+    check "too old to be affected"
+    configure 36.20221031.2.0
+    reboot testing-late
+    ;;
+testing-late)
+    check "too new to be affected"
+    configure 36.20220906.2.0
+    ostree config set sysroot.bls-append-except-default 'foo=bar'
+    reboot testing-already-set
+    ;;
+testing-already-set)
+    check "already has a value"
+    configure 37.20221021.1.1
+    reboot next-active-last
+    ;;
+next-active-last)
+    check_success
+    configure 36.20220820.3.0
+    reboot stable-active-first
+    ;;
+stable-active-first)
+    check_success
+    configure 36.20221001.3.1
+    reboot stable-active-last
+    ;;
+stable-active-last)
+    check_success
+    configure 36.20220806.3.0
+    reboot stable-early
+    ;;
+stable-early)
+    check "too old to be affected"
+    configure 36.20221014.3.0
+    reboot stable-late
+    ;;
+stable-late)
+    check "too new to be affected"
+    ok "All tests passed"
+    ;;
+*)
+    fatal_ctx "Unexpected mark"
+    ;;
+esac