diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml
index 9d87ce8..5bea3e3 100644
--- a/tasks/section_5/cis_5.3.3.3.x.yml
+++ b/tasks/section_5/cis_5.3.3.3.x.yml
@@ -19,7 +19,7 @@
       failed_when: discovered_pwhistory_remember.rc not in [0, 1]
 
     - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set"
-      when: discovered_pwhistory_remember.stdout | length > 0
+      when: discovered_pwhistory_remember.stdout | length == 0
       ansible.builtin.lineinfile:
         path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
         regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(remember=\d+)
@@ -46,7 +46,7 @@
       failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1]
 
     - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set"
-      when: discovered_pwhistory_enforce_for_root.stdout | length > 0
+      when: discovered_pwhistory_enforce_for_root.stdout | length == 0
       ansible.builtin.lineinfile:
         path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
         regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(enforce_for_root)
@@ -73,7 +73,7 @@
       failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
 
     - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set"
-      when: discovered_pwhistory_use_authtok.stdout | length > 0
+      when: discovered_pwhistory_use_authtok.stdout | length == 0
       ansible.builtin.lineinfile:
         path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
         regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(use_authtok)
diff --git a/templates/usr/share/pam-configs/pwhistory.j2 b/templates/usr/share/pam-configs/pwhistory.j2
index aa4cbaf..98e97e2 100644
--- a/templates/usr/share/pam-configs/pwhistory.j2
+++ b/templates/usr/share/pam-configs/pwhistory.j2
@@ -3,4 +3,4 @@ Default: yes
 Priority: 1024
 Password-Type: Primary
 Password:
-        requisite                       pam_pwhistory.so enforce_for_root try_first_pass{% if ubtu24cis_rule_5_3_3_3_1 %} remember={{ ubtu24cis_pamd_pwhistory_remember }}{% endif %}{% if ubtu24cis_rule_5_3_3_3_2 %} enforce_for_root{% endif %}{% if ubtu24cis_rule_5_3_3_3_3 %} use_authtok{% endif %}
+        requisite                       pam_pwhistory.so {% if ubtu24cis_rule_5_3_3_3_1 %} remember={{ ubtu24cis_pamd_pwhistory_remember }}{% endif %}{% if ubtu24cis_rule_5_3_3_3_2 %} enforce_for_root{% endif %}{% if ubtu24cis_rule_5_3_3_3_3 %} use_authtok{% endif %}