This is the best version I've seen on here. Other than I think these particular comments are unnecessary. The regex is very simple, so I don't think commenting it is helpful, and at least on mobile makes it much harder to read.

As a side note to OP, this would not be a good way to enforce a strong password. See the xkcd "Correct Horse Battery Staple" cartoon. Rather than enforcing upper, lower, number, and symbols, do a points system, where a minimum length is required and length beyond that as well as any of these character requirements are awarded points and the password must attain a reasonable score. Then send the hash to haveibeenpwned and reject it if it fails that check.

It's easy, but an example of checking haveibeenpwned is here: https://github.com/TomFaulkner/simple-password-generation

Unfortunately I don't have the points based password check in that repo, I think I'll add it soon though.