diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml
index 2ea9c2f..bac9c32 100644
--- a/tasks/section_5/cis_5.4.3.x.yml
+++ b/tasks/section_5/cis_5.4.3.x.yml
@@ -34,7 +34,7 @@
     state: "{{ item.state }}"
     marker: "# {mark} - CIS benchmark - Ansible-lockdown"
     create: true
-    mode: 'go-w'
+    mode: 'go-wx'
     block: |
       TMOUT={{ ubtu24cis_shell_session_timeout }}
       readonly TMOUT
@@ -54,10 +54,20 @@
     - rule_5.4.3.3
     - NIST800-53R5_AC-3
     - NIST800-53R5_MP-2
-  ansible.builtin.replace:
-    path: "{{ item.path }}"
-    regexp: (?i)(umask\s+\d\d\d)
-    replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
-  loop:
-    - { path: '/etc/profile', line: 'umask' }
-    - { path: '/etc/login.defs', line: 'UMASK' }
+  block:
+    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | update current settings"
+      ansible.builtin.replace:
+        path: "{{ item.path }}"
+        regexp: (?i)(umask\s+\d\d\d)
+        replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
+      loop:
+        - { path: '/etc/profile', line: 'umask' }
+        - { path: '/etc/login.defs', line: 'UMASK' }
+
+    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | add profile script to set"
+      ansible.builtin.template:
+        src: etc/profile.d/50-umask.sh.j2
+        dest: /etc/profile.d/50-umask.sh
+        owner: root
+        group: root
+        mode: 'go+r,go-wx'