Deploy all software updates using SCCM task sequences

Similar Messages

• How would I rollback or remove a problematic software update using SCCM 2012?

  How would I rollback or remove a problematic software update using SCCM 2012?
  Primarily I'm thinking these patches would be Windows Vista/7/8 OS patches, but would include other Microsoft updates as well (eg. Office, etc.).
  Thanks,
  Bill

  Hi,
  You need to uninstall it using software distribution like a package/program, here is a script that can help you with the uninstallation.
  http://blog.coretech.dk/jgs/vbscript-uninstall-updates-on-winxpwin2003-win7-and-win-2008-r2-automatically/
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Deploying 100% of available software updates during a task sequence

  Hi,
  Can somebody tell me if it actually possible to fully patch a computer via an SCCM 2012 task sequence using the install software updates task? If you have managed this can you shed some light on where I'm going wrong? For me, this behaviour is exactly
  the same as ConfigMgr07... It simply doesn't work as it should.
  I've integrated IE9 into my image and then added in all available updates via offline servicing. My task sequence installs windows, installs Adobe Reader, Office 2010 and Visio Viewer 2010. I then reboot the machine and perform all my patching via the Install
  Software Updates task (with it set to 'all'), then reboot again. I do this four times in total.
  It downloads and installs some 24 updates in the first instance. The second, third and fourth time it doesn't download or install anything.
  When the task sequence completes and the OS first starts up there are 10 updates waiting to be installed (including updates for Adobe Reader and Flash that I have published to the WSUS server via SCUP). After installing those and rebooting there is a single
  hotfix available (KB2533552). After installing that and rebooting, .NET4 Client Profile is waiting for me. After that there another nine more updates are available (mainly .NET4). Reboot, .NET4 Framework, reboot 5x .NET4 framework updates.
  Why does the software update task not install 'all' updates when that is what I've selected? I have an automatic deployment rule targeted to my OSD and Unknown Computers collections. The rule is set to include Windows 7, Office 2010 and Adobe products with
  all update classification types.

  I don't have a pause in my script and have not encountered any issues with the scan not finishing before the Software Update installation step. This is true for my B&C TSs which install in the region of 200 updates, including custom trusted publisher
  updates from SCUP 2011. So I can't really comment on that side of things.
  With regards to the patching side of things: I tried removing the multiple reboot patches from my Task Sequences by excluding them from the Auto Deployment Rules that target the same containers as the task sequences by adding -KBxxxxxx in the ADR. Unfortunately,
  due to me having the multiple reboot updates targeted up 'update' collections that are populated by hardware/software DB queries, any PC that is performing a 'Refresh' TS ends up with the offending patches being targeted for install anyway and the TS fails.
  For a long time I was just removing the client record from the DB and recreating it so that the offending updates would not be targeted to the client. Once the client has been refreshed, a hardware inventory is performed, the collections updated daily, the
  multiple reboot patches are detected and are scheduled for install for the following Friday afternoon. This used to annoy me as I don't like 'incomplete' clients being delivered to users' desktop.
  Recently though I've been toying with offline servicing. At first I attempted to integrate every available update but this just ended up killing things too. A number of the updates that can be installed via offline servicing have a .net 4 pre-requisite
  but because .net 4 cannot be slipstreamed, the prerequisite is not satisfied, Windows setup fails and so does the TS. So using this method there is a chance you'll end up installing a patch that will kill your image... Still not ideal.
  What I have settled on is slipstreaming specific patches into my installation media using dism and then running a B&C TS to update my image.
  This is the batch file I use (you'll need to change to suit):
  Dism /mount-wim /wimfile:D:\SCCMContentSources\Applications\Microsoft\Windows\7\Professional\SP1\64-bit\Sources\install.wim /index:1 /mountdir:D:\HotFixIntegration\Offline
  Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\Updates
  Dism /Image:D:\HotFixIntegration\Offline /LogPath:SourceAddPackagex64.log /Add-Package /PackagePath:D:\HotFixIntegration\Hotfixes\64-bit\IE
  Dism /unmount-wim /mountdir:D:\HotFixIntegration\Offline /commit
  The first line mounts the image.
  The second line slipstreams the following .msu updates:
  kmdf-1.11, KB2526870, KB2529073, KB2545698, KB2561285, KB2574819-v2, KB2592687, KB2617858, KB2670838, KB2726535, KB2729094-v2, KB2786081, KB2834140-v2, KB2847311, KB2855844, KB2862330-v2, KB2862335, KB2864202, KB2868038, KB2876284, KB2883150, KB2884256,
  KB2965788, KB2984976, KB917607, KB971033, KB976399, KB977944, KB981750
  These are essentially just the multiple reboot patches and their pre-requisites, IE11 prerequisites, and a few KBs that not published to WSUS.
  The third line slipstreams IE11 from the IE11 .cab file.
  The fourth line commits the changes to the install media.
  After running a B&C TS from this modified installation source there are no updates available to freshly deployed images (until the next patch Tuesday!).
  Unfortunately this a manual process as I need to check the multiple reboot KB article each time updates are released but it's the only way I can put out 100% patched PCs and have a PC Refresh task sequence that doesn't fail.

• Client not receiving the software update FROM SCCM 2012 R2

  We have SCCM 2012 R2 installed and configured for SUP.and i have synchonice the SUP with WSUS server in the same which is there in the same machine.
  Now i can able to deploy the software update from SCCM 2012 R2 without any erro to the windows 7clients, but client side when i check there is no update installed in the clients , but seems there is no error in the client logs

  Hi,
  I'd start with running a "Software Updates Scan Cycle" from the configuration manager control panel applet and check the log file Windowsupdate.log, WUAhandler.log.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Deploying the SCCM 2012 Client to WES 7 devices that are locked down with the FBWF using 2007 task sequence via WEDM.

  I'm wondering how people are migrating their embedded devices that are using the FBWF. I've done some googling and it seems like most people are just re-imaging the devices and after migrating a single device i see why. Its not a pretty process. This will
  be a long description but ultimately my question stems more from trying to find a better way to execute the device migration from 2007 to 2012.
  Some back ground on my situation might be in order here. I'm in the process of wrapping up our 2007 to 2012 migration. We have a 2007 infrastructure that was a central server with 2 primaries and 286 secondary site servers. I've consolidated that to a single
  2012 primary site server that hosts all the main roles. There are 2 more servers in the data centers both operating solely as push distribution points I'll refer to them as 2012 01 02 and 03. I'm over half way through the migration and so far haven't needed
  to offload any site roles. There are almost 10,000 clients now reporting to the 2012 site server and almost a 100 field servers pulling content from 2012 02 as their source dp as pull dp is the only way forward for this many devices. I've read the horror stories
  of trying spin up 200 plus push dps. We are running PKI. I'm at the point now where i need to start migrating the Windows Embedded Seven Standard clients that have the 2007 sccm client on them with WEDM for write filter handling.
  What i'm wondering is if anyone has any pointers for me regarding migrating the WES 7 devices. My plan that i've come up with is to somehow script the process using a 2007 WEDM Task Sequence to try and migrate them over to 2012. Things are complicated as
  I need to somehow script the install, the policy checkin, hardware inventory, software inventory, and validate the SCEP client installs before I reboot the device one last time to enable the FBWF. How I handled the SCCM 2007 client install on these devices
  when they were provisioned was to just create a batch file that would sleep for ten minutes then check to see if the inventoryagent.log file had been created yet. I realize now that is inefficient as i can kick off the inventory using a WMI method once the
  client has installed. Also I need to make sure the machine gets its first policy as that is how it creates the communication using PKI through that first policy transfer and that also finalizes the client install. The biggest piece i'm uncertain about in this
  regard is the SCEP client.
  I had to change the SCEP client install from yes to no in the default client settings as we have some Mcaffee servers that can't have the SCEP client on them. I have incremental updates enabled on the collection that has the policy that installs the SCEP
  client but this will take an unknown amount of time unless i force the environment to update as the device starts in 2012 install, or if I could kick off the SCEP isntall... IDK. I'm also wondering if i should keep the device in the migration process until
  i validate it has its proper scep policy applied which I believe can be validated by a registry key somewhere.
  Once the 2012 client gets installed will that cause it to lose its place within the 2007 Task Sequence? Considering its going to take a minimum of 2 reboots I'd normally use the task sequence to handle its progression through the process.
  I'm also considering trying to use an Orchestrator runbook, as that would be a good way to keep track of the migration process as each device migrates. Especially since this might take several seperate scripts.
  I'm going to take a stab at scripting the migration process, but if anyone has any pointers that might make this a less complicated I'd really appreciate it as I've got about 3000 of these devices that need to be migrated over. The other things i've learned
  the hard way is any time you have something this complicated over the course of 3000 devices you will run into unknowns and the failure rate increases. I'm in the precarious position of having to not only build this process out but in some situations have
  it complete in the shortest amount of time possible as we have sites running 24x7. I know the end users behavior all to well and they will just keep hitting the power button sometimes even though their not supposed to so they can get their device functional
  again. In those situations i'd end up, if i'm lucky with a device that no longer has a healthy SCCM client in either environment and the write filter disabled.
  So like i said any pointers anyone could throw my way i'd really appreciate. I manually went through the migration process on a single device for proof of concept and ended up with almost 2 pages of pseudo code for my migration script/scripts.
  Thanks,
  -K.R.

  Hi,
  In R2 there are some new variables you can use to solve this,
  http://ccmexec.com/2014/12/smstsmplistrequesttimeout-value-in-milliseconds/
  In Sp1 though adding a step to sleep for 2-5 minuter after reboot and before the application install step is a common workaround.. a powershell command with "Start-Sleep
  -s 120" should do it. 
  /Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Deploy Java and Oracle updates using SCCM 2007 Software Updates

  Hi Team,
  I am using SCCM 2007 to deploy software updates on all my servers. Now i want deploy updates fro third party tools like Adobe, Java etc..Please suggest me on how to deploy these updates using SCCM.
  I am looking for other simple solution than SCUP 2011. Please suggest.
  Thanks
  Siva

  Hi,
  SCUP 2011 would be the way to do it or a package/program. There are commercial software solutions that plugins to configuration Manager like Secunia
  http://secunia.com/vulnerability_scanning/corporate/sc2012_plugin/ ,Solarwinds
  http://www.solarwinds.com/patch-manager.aspx and Shavlik
  http://www.shavlik.com/products/scupdates/ that offer a subscription of updates for these products for a cost of course.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Issue getting SCCM to show KB2998527 (Russia timezone patch) in all software updates

  Hello,
  We are having issues getting the September 2014 Russia timezone patch to show up in SCCM all software updates list.  My colleague did make sure to change WSUS to include it and he did manually get it.  When we go into SCCM, we are unable to still
  get it to show up in the list even after doing an update sync.
  Please let us know how we can get this update to show up in the list as we would like to deploy it company-wide.
  Thank you.
  Justin

  No, we did not.
  At this point, I would suggestion contacting CSS directly for support. They can work with you to solve this problem.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Deploy Java Updates using SCCM 2012 SP1 and SCUP 2011

  What is the best way to deploy Java updates using sccm 2012 SP1 and SCUP 2011?

  I didn´t find Kent´s blog useful when talking about Java. I can deploy Adobe products fine, but I have to import Java manually because not having Shavlik certificate. So with that said, I have the fallowing problem;
  I have full offline installer unpacked, .msi file and Data1.cab. When I´m importing these binaries to SCUP, I only can point to .msi. Doing that, installation fails in client side fails because of lack of data1.cab fine, which is the main file.
  Should I use some other downloaded files of Java? I couldn´t find any Java-update-file only type of files to download.

• Several Updates Missing from "All Software Updates"

  We've been using SCCM 2012 to patch our systems for a few months now and I thought everything was going smoothly until we got an audit back from out Security office about our boxes missing several patches, listed below.  
  So I go back to the SCCM console to check whether or not the patches were listed in the "All Software Updates" group and also the custom Software Update Group that I was deploying to the systems.  And to my surprise, none of the updates were
  listed.  The only Software Update Point Classifications we have
  not enabled are Tools, the rest are enabled. I've also verified that the Software Update Point Products have Windows Server 2003, Windows Server 2008, R2, 2012, and 2012 R2 which encompass the OS of the servers that were found to be deficient.
  Why are these updates not listed in SCCM?
  How can we ensure they get listed in SCCM and applied to our servers?
  How can we prevent this from happening in the future?
  2750841: An IPv6 readiness update is available
  2775511: An enterprise hotfix rollup is available
  2732673: "Delayed write failed" error message when .pst files are stored on a network file server
  2728738: You experience a long logon time when you try to log on to a Windows client that uses roaming profiles
  2862973: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program
  2574819: An update is available that adds support for DTLS
  2894854: An update is available - .NET Framework 4.5.1
  2894844: Description of the security update for the .NET Framework 3.5.1
  HOTFIX : RDS-based applications crash in Windows 7 SP1 or Windows Server 2008 R2 SP1 or Windows Server 2008 R2 SP1 (x64)

  Hi,
  I can't say I have checked all of the updates that you post here but the ones I did check and I normally deploy as well are not published in Windows Update and that is why you don't see them i either WSUS och Configuration Manager. They are Hotfixes and
  not updates that are published there. So you need to download them and either import them using SCUP or deploy them using normal Software Distribution.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Install CS6 Applications via SCCM Task Sequence

  Hi
  We have an SCCM 2012 R2 infrastructure on our network, and want to deploy Adobe CS6 applications using Windows Installer Packages created with Adobe Application Manager Enterprise Edition 3.1
  We created individual packages for each application (for flexibility) following the instructions provided at this address: http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/creativesuite/pdfs/AdobeApplication ManagerEnterpriseEditionDeploy…
  When we go to install the packages via an SCCM Task Sequence, the following occurs:
  1     The application is installed
  2     The application is not installed
  We have followed the instructions provided by Adobe for the deployment, and cannot get any consistency with the installers. For example, when we run the task sequence, the following applications will be installed:
  1     Dreamweaver
  2     Fireworks
  3     Flash Professional
  4     Illustrator
  5     InDesign
  6     Photoshop
  When we run the same task sequence again, the following applications are installed:
  1     Dreamweaver
  2     Fireworks
  3     Illustrator
  4     Photoshop
  The task sequence first images the computer with Windows 7, and reboots the computer between each application being installed
  I have also attempted packaging all the applications together, in a Design and Web Premium style package, with the same, unfortunate results
  Please, can you help with this?

  The error means RPC server unavailable. TS needs to invoke Execution Manager by RPC. This may be caused by the issue of RPC starting. I suggest you check the RPC service availability first. Another try is to add a restart computer step before installing
  SQL. If still no avail, add a Delay "cmd.exe /c timeout /t 900".
  Regarding the connecting network share issue, seems the network services has not been initializing or ready. Another possibility is the DHCP time out. Check the Event log and this may give you some clues of why the network is not ready or DHCP cannot get
  IP address. Network Monitor can also be used to monitor the IP helper when the Client try to send DHCP request after reboot.
  Juke Chou
  TechNet Community Support

• Block, Remove, Delete an Update (KB2959936, KB2932354) from "All Software Updates"

  First off I do not understand updates "KB2959936, KB2932354" as they install the program "Embedded Lockdown Manager" in my Enterprise Windows 7 and 8.1.  My understanding is Embedded Lockdown Manager is only for Windows Embedded....
  I would like to know if there is a way to remove an update from the "All Software Updates" as I know how to block an update from not being deployed however I use the "Schedule Updates" feature for an image and as far as I understand it
  makes all updates available which leaves me having to uncheck each update that I do not want in the WIM.  Since I would never want KB2959936 & KB2932354 to install EVER I would like to remove it entirely, how can I do that.

  You can't remove it. Just don't put it into a deployed software update groups.
  Alternatively, what I do for updates like this is create a new folder under the All Software Updates node and move unwanted updates there (I actually create multiple folders like one for Itanium, one for Beta, one for media center, etc.).
  For these updates though, even if you accidentally deploy it though, there's no risk of anything bas because they aren't applicable to anything in your environment so adding them to a deployed update group no end effect.
  Yes, it will bloat your WMI a bit because its part of the catalog that gets scanned and the results added to WMI, but there's nothing you can do about that (in a supported fashion anyway).
  For WIM files and scheduled updates, DISM will properly recognize these as N/A and won't add them. You can verify this by going to your OfflineServicingMgr.log.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• All Software Updates - Internet Explorer 11

  Just to confirm, Internet Explorer 11 is not suppose to be in the list of All Software Updates ?  There are cumulative and security updates for it, but no Internet Explorer 11 installation.  (though IE 7, 8, and 9 installations are listed)
  Thanks
  PS.  if we need to deploy using the offline installer, are there silent install switches for IE11 ?

  After synchronizing the Software Update Point in SCCM2012 R2, looking at the wsyncmgr.log, there were only a few errors (see below), probably related to the IE11 that we're missing.  Searching for information on "The Microsoft Software
  License Terms have not been completely downloaded and cannot be accepted" error refers to SCCM2012 going through a Proxy internet server, which we don't use.
  sync: SMS synchronizing updates, processed 14085 out of 14085 items (100%)
  Sync failures summary:
  Failed to sync update 5e174b97-938e-41b7-9428-b2f9978ddd2d. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.LicenseAgreement.GetById
  Failed to sync update 359c5eeb-b7ff-447a-9986-5d6283a133f3. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.LicenseAgreement.GetById
  Failed to sync update e67a6ad4-27ae-462f-a340-d7fdc9140619. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.LicenseAgreement.GetById
  Failed to sync update a445f9b8-19d1-471e-a7ea-b4b60c102056. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.LicenseAgreement.GetById
  Failed to sync update f13ddae9-edf3-4b5b-a874-14f35a089e8b. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.LicenseAgreement.GetById
  Failed to sync update 1de9e76a-4e0b-4ee3-b2b2-cccd08f4ff59. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.LicenseAgreement.GetById
  Failed to sync update 817ad2a6-3ca7-4fa2-aa32-9b906a2d9fdc. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.LicenseAgreement.GetById
  Failed to sync update 87e13ecb-c669-43be-9e2a-01e567285031. Error: The Microsoft Software License Terms have not been completely downloaded and cannot be accepted. Source: Microsoft.UpdateServices.Internal.BaseApi.LicenseAgreement.GetById
  Sync failed: Failed to sync some of the updates. Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncUpdates
  STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=SC2012.corp.mcelhanney.com SITE=MCE PID=4700 TID=8864 GMTDATE=Wed Apr 22 20:59:22.117 2015 ISTR0="Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncUpdates"
  ISTR1="Failed to sync some of the updates" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0

• Deploying one software update group to multiple collections.

  Good Afternoon,
  We are in the process of rolling out Windows updates to our server environment.  This will be the first rollout on a mass scale. Previously, we have rolled out to about 4 collections to test.
  In a prior life, I managed deploying Windows updates using SCCM 2007. You were able to target to a deployment to a parent collection and select the option to deploy to sub-collections.
  With CM2012, we have a parent folder and our collections live inside of this folder.  My question is this, how can deploy my software update group without having to create a deployment targeted to each individual collections.  Our structure looks
  like this
  Parent Folder (Production)
  Subfolder (Monthly)
  Monthly Collections
  We have 43 monthly collections for production.  I would prefer to not have to create 43 different deployments.  Can you target the parent folder and include the collections?  I read another article where CM2012 did away with the use SubCollections,
  but I have not been able to verify that.
  Any assistance would be appreciated.
  Thank You
  Brian Dougherty

  You can still do something similar as with a top collection in CM07. In CM12 you can use the include collection. So that would mean that one collection can include multiple collections, which allows you to target only one collections. Those separate collections
  can then be used for different maintenance windows (or whatever you want to do with it).
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• SCCM Task sequence OSD issue with windows recovery

  Hi,
  Just wanted to know if anyone else gets a strange issue I have sometimes during my W7 deployment.  We have deployed approx. 1500 PCs using this task sequence with no problems but about 5 or so PCs get stuck after different stages and windows start automatic
  repair and tries to fix an issue which fails and sticks at the recovery screen.
  If you cancel the auto repair the TS continues no issue but this usually happens at our remote sites that are a days drive away.  I have just had it happen on a new PC we just got that I am testing the driver pack with and just wanted to know if
  anyone else has this issue?
  I have a script I run out to all my PCs after SOE is applied to prevent this as we have found our users are not good a clean shutdowns and this prevents auto repair after the fact but I am thinking I might push this script after applying the image to prevent
  this from happening again.
  The script I use is as follows.
  cmd.exe /c "%windir%\system32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures >c:\tempsccm\bcdedit.log
  If anyone can let me know if this happens to you that would be great.
  Cheers.

  You PC need to be recovered error may come in below cases.
  1. MAC id is wrong while importing the asset in CM.
  2. BIOS date and time is improper.
  3. Disk failure
  4. WDS is not functional.
  Regards, Shishir Kushawaha "If this thread answered your question, please click on "Mark as Answer"

• Last night, mail suddenly lost all my emails, which were stored in mailboxes.  What happened and how can I find my lost files?  I have the latest MacBookPro, running Lion 10.7.2 all software updates installed

  Last night the mail application from Apple lost all my old emails, which were stored in mailboxes, neatly sorted by category.  What happened and how do I find them? 
  Details:  I shut down mail to run errands outside my office.  My late model MacBook Pro was on "sleep".  When I returned, I opened the application, and (RATS!) all the mailboxes were missing.  They just evaporated. 
  Operating system:  10.7.2 - all software updates installed and current as of 24 hours ago (12-30-11, 6 AM EST). 
  ln the mail program, the trash folder is OK and the sent folder is OK. 
  Yesterday, I did no maintenance on my mail folders.
  HELP! 

  1 - the sudden disappearance of my 22 mailboxes, used to sort the emails that I need to file for future use
  That was most likely the result of some kind of corruption, as I've already said, not a bug in Mail.  Have you repaired the hard drive with Disk Utility recently?  That wouldn't be a bad idea.
  2 - at random times, mail (or the server) says that my password is incorrect and I must reenter (fix:  usually I can quit mail, restart, and the connection is restored without reentering my password)
  This is a known issue, where a failure to respond promptly on the server's end mimics what happens when the password is rejected.  There's no need to quit Mail, just cancel when asked to enter the password, take the account back online and try again.
  3 - mail seems to resort the mail in my mailboxes at random time.  Several times a day, I must reset the sort to (a) by date; (b) by desending
  Never seen that before.  That points more to some kind of possible corruption in your Mail data or preference files.