diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index c459b176cf7ea40efb5116245018972b493ae571..ab4fa0a2b80304d422687dc8dfc30108daa69210 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -45,9 +45,19 @@
     owner: root
     group: root
     mode: 0644
+  register: pam_umask
   notify:
     - Update PAM configuration
 
+- name: Update PAM configuration  # noqa 503
+  # [503] Tasks that run when changed should likely be handlers
+  #   In order to have consistent behaviour during the first and
+  #   subsequent playbook runs, make sure the PAM configuration is
+  #   updated immediatelly. This way any files created by commands etc
+  #   should end-up with correct permissions straight away.
+  command: "/usr/sbin/pam-auth-update --package"
+  when: pam_umask.changed
+
 - name: Set login UMASK
   lineinfile:
     dest: "/etc/login.defs"