diff --git a/roles/baseline/tasks/ipaclient.yml b/roles/baseline/tasks/ipaclient.yml
index e301e96..4bfbb34 100644
--- a/roles/baseline/tasks/ipaclient.yml
+++ b/roles/baseline/tasks/ipaclient.yml
@@ -10,13 +10,16 @@
   register: _baseline_freeipa_authselect_status
   changed_when: false
 
-- name: FreeIPA Client | PATCH | Apply authselect profile with sssd, sudo, and mkhomedir if not set
-  ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir with-subid --force
+- name: FreeIPA Client | PATCH | Apply authselect profile with sssd, sudo, and more if not set
+  ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir with-subid with-faillock with-pwhistory without-nullok --force
   when: >
     'Profile ID: sssd' not in _baseline_freeipa_authselect_status.stdout or
     'with-sudo' not in _baseline_freeipa_authselect_status.stdout or
     'with-mkhomedir' not in _baseline_freeipa_authselect_status.stdout or
-    'with-subid' not in _baseline_freeipa_authselect_status.stdout
+    'with-subid' not in _baseline_freeipa_authselect_status.stdout or
+    'with-faillock' not in _baseline_freeipa_authselect_status.stdout or
+    'with-pwhistory' not in _baseline_freeipa_authselect_status.stdout or
+    'without-nullok' not in _baseline_freeipa_authselect_status.stdout
 
 - name: FreeIPA Client | PATCH | Enable oddjobd.service (for with-mkhomedir feature)
   ansible.builtin.systemd_service: