diff --git a/product_properties/10-pam-faillock-conf.yml b/product_properties/10-pam-faillock-conf.yml
index 06735cd3e5bf..7d6ee01c1209 100644
--- a/product_properties/10-pam-faillock-conf.yml
+++ b/product_properties/10-pam-faillock-conf.yml
@@ -1,7 +1,2 @@
 default:
   pam_faillock_conf_path: "/etc/security/faillock.conf"
-
-overrides:
-{{% if product == 'sle16' %}}
-  pam_faillock_conf_path: "/usr/etc/security/faillock.conf"
-{{% endif %}}
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 69ed975ad8c4..ee29db3765fc 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1462,7 +1462,6 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
     {{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/password-auth','auth','','pam_faillock.so',parameter, rule_title=rule_title) | indent(4) }}}
   when:
     - result_faillock_conf_check.stat.exists
-{{%- endif %}}
 
 - name: {{{ rule_title }}} - Ensure the pam_faillock.so {{{ parameter }}} parameter in PAM files
   block:
@@ -1542,6 +1541,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
     {{%- endif %}}
   when:
     - not result_faillock_conf_check.stat.exists
+{{%- endif %}}
 {{%- endmacro -%}}
 
 {{#
@@ -2395,7 +2395,7 @@ lines will be inserted at the beginning of the profile.
 
 {{#
 
-    Set a sshd configuration parameter to a value for system with /usr - located default config 
+    Set a sshd configuration parameter to a value for system with /usr - located default config
 
 :parameter msg: Message to be set as Task Title, if not set the rule's title will be used instead
 :type msg: str
diff --git a/shared/templates/pam_account_password_faillock/ansible.template b/shared/templates/pam_account_password_faillock/ansible.template
index b976b2a576a6..eb052c371d52 100644
--- a/shared/templates/pam_account_password_faillock/ansible.template
+++ b/shared/templates/pam_account_password_faillock/ansible.template
@@ -3,5 +3,15 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
+
+{{% if product == 'sle16' %}}
+- name: Copy faillock defaults /usr/etc/security/faillock.conf to {{{ pam_faillock_conf_path }}}
+  ansible.builtin.copy:
+    src: /usr/etc/security/faillock.conf
+    dest: {{{ pam_faillock_conf_path }}}
+    force: no
+    mode: '0644'
+{{% endif %}}
+
 {{{ ansible_pam_faillock_enable(rule_title=rule_title) }}}
 {{{ ansible_pam_faillock_parameter_value(PRM_NAME, EXT_VARIABLE, rule_title=rule_title) }}}
diff --git a/shared/templates/pam_account_password_faillock/bash.template b/shared/templates/pam_account_password_faillock/bash.template
index e46c3b851976..75bb62141932 100644
--- a/shared/templates/pam_account_password_faillock/bash.template
+++ b/shared/templates/pam_account_password_faillock/bash.template
@@ -1,5 +1,12 @@
 # platform = multi_platform_all
 
+{{% if product == 'sle16' %}}
+PAM_FAILLOCK_DEFAULTS_FILE_NAME="/usr/etc/security/faillock.conf"
+if ! [ -e "{{{ pam_faillock_conf_path }}}" ] ; then
+    cp "${PAM_FAILLOCK_DEFAULTS_FILE_NAME}" "{{{ pam_faillock_conf_path }}}"
+fi
+{{% endif %}}
+
 {{{ bash_instantiate_variables(EXT_VARIABLE) }}}
 
 {{{ bash_pam_faillock_enable() }}}