I have Given name & Surname in "Exclude passwords that match attribute

So Jones Ela user is created, UP is set to default, user has 1 grace login,
password is expired)

User logs in with default, being informed that last grace login was used,
needs to change password

So the user changes password to housejones15

All is OK, but on next boot the user is being informed that the password
needs to be changed

That happens obviously because of

"Verify whether existing passwords comply with the password policy
(verification occurs on login)"

But why the system allowed user to change the password in first place to a
password in which Surname attribute was used?

I would expect the user to NOT be allowed to chose such password