diff --git a/docs/changelog.rst b/docs/changelog.rst
index dac924d8..0e52d365 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -22,6 +22,7 @@ In progress (unreleased)
 ------------------------
 
 * :gh:issue:`1306` CI: Report sudo version on Ansible targets
+* :gh:issue:`1306` CI: Move sudo test users defaults into ``/etc/sudoers.d``
 
 
 v0.3.27 (2025-08-20)
diff --git a/tests/image_prep/_user_accounts.yml b/tests/image_prep/_user_accounts.yml
index 225d4a53..a1701e55 100644
--- a/tests/image_prep/_user_accounts.yml
+++ b/tests/image_prep/_user_accounts.yml
@@ -157,15 +157,14 @@
             owner: mitogen__has_sudo_pubkey
             group: mitogen__group
 
-    - name: Configure sudoers defaults
-      blockinfile:
-        path: /etc/sudoers
-        marker: "# {mark} Mitogen test defaults"
-        block: |
-          Defaults>mitogen__pw_required targetpw
-          Defaults>mitogen__require_tty requiretty
-          Defaults>mitogen__require_tty_pw_required requiretty,targetpw
+    - name: Configure sudoers
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: ug=r,o=
         validate: '/usr/sbin/visudo -cf %s'
+      with_items:
+        - {src: sudoers_defaults, dest: /etc/sudoers.d/mitogen_test_defaults}
 
     - name: Configure sudoers users
       blockinfile:
diff --git a/tests/image_prep/files/sudoers_defaults b/tests/image_prep/files/sudoers_defaults
new file mode 100644
index 00000000..3ad7a6d4
--- /dev/null
+++ b/tests/image_prep/files/sudoers_defaults
@@ -0,0 +1,3 @@
+Defaults>mitogen__pw_required targetpw
+Defaults>mitogen__require_tty requiretty
+Defaults>mitogen__require_tty_pw_required requiretty,targetpw