I am quite desperate since all my tries were fails. I hope you have the deciding hint to the solution I was unable to find.

I have a patch policy (ZCM/ZPM 11.3.2) that asks the user to allow the updates (can be cancelled up to three times and installs at least at the fourth time) at a given time.

To make this work I have a bundle running as pre-enforcement action asking the user to accept the update.
Cancelling the update works as wanted - up to three times an update can be postponed.

When the patch policy has run - and the patch(es) is/are successfully installed - the patch policy asks the next time the policy is running again (e. g. device refresh) if the user accepts the updates. But there are no updates...
To my understanding there should have been checked if the ZPP has successfully run (all patches installed, no new version of the patch policy) before the pre-enforcement action is started.

I could add a (required) registry key (set in the post-enforcement step) to make the pre-enforcement-bundle start or not but being dependent on another prerequisite could only add more bug sources than really help, couldn't it?

What are your best practices?