Move assignments option based on dynamic assignments

Use case: To reduce the amount of change that occurs at any given time due to patches in the environment, and only introduce change (patch an application) if it is absolutely necessary. For this example, that is when a security patch is issued to resolve vulnerabilities in an application.

Problem: If using dynamic assignments to filter what updates are being assigned based on criteria such as update classification: security, the dynamic assignment will initially assign the update, but does nothing else. So how do you ensure new security updates for the same app will be assigned?

If you rely on the "Copy the assignments..." option in Intune Options, it will copy the assignment to a new update regardless of the dynamic assignment rule.

If you do not use the "Copy the assignments..." option, you'll only get the security updates assigned, but all old versions will remain assigned.

You can leave "Copy the assignments..." unchecked and use the "Delete the assignments..." option, but then you are left with a lot of old applications that you have to manually clean up. You could set the "Delete any previous..." settings, but then you risk losing the most recent security patch for any given app if there are only updates released for the same application that are not security updates that exceed the provided threshold.

Solution: Tie the assignment transition directly to the dynamic assignment rule.

Bonus Solution: Add the same filtering feature at the publishing level, so, as in my example, only updates that meet the update classification: security are published by the publisher. (This would reduce bloat of unwanted app versions and would be an even cleaner option for consideration).