Windows Update checking/downloading new updates hangs Windows 2008 R2 Enterprise with TMG installed

We have weird situation with Windows 2008R2 and TMG 2010 installed. It happened two times already on 2nd Tuesday of the month that Windows dropped all connections (VPNs, routing etc) and when trying to log in remotely / locally to it you could only see welcome screen and it never logs you in (I have even waited 30 minutes). Only hard reset is an option then (it's a virtual machine running on Hyper-V R2). We tracked it down to possible Windows Update problem... we always had option Download new updates and let me decide what to do with them turned on which seems to be the cause of hangs.

There's nothing in Application / System logs concerning the hang and in WindowsUpdate log there's:

2011-06-07  16:55:04:976     824    11f0    Agent   WARNING: WU client failed Searching for update with error 0x80072ee2  
2011-06-07  16:55:04:992    2904    67c COMAPI  >>--  RESUMED  -- COMAPI: Search [ClientId = Forefront TMG]  
2011-06-07  16:55:04:992    2904    67c COMAPI    - Updates found = 0  
2011-06-07  16:55:04:992    2904    67c COMAPI    - WARNING: Exit code = 0x00000000, Result code = 0x80072EE2  
2011-06-07  16:55:04:992    2904    67c COMAPI  ---------  
2011-06-07  16:55:04:992    2904    67c COMAPI  --  END  --  COMAPI: Search [ClientId = Forefront TMG]  
2011-06-07  16:55:04:992    2904    67c COMAPI  -------------  
2011-06-07  16:55:04:992    2904    ba8 COMAPI  WARNING: Operation failed due to earlier error, hr=80072EE2  
2011-06-07  16:55:04:992    2904    ba8 COMAPI  FATAL: Unable to complete asynchronous search. (hr=80072EE2)  
2011-06-07  16:55:09:976     824    11f0    Report  REPORT EVENT: {273DB494-865D-4394-A017-8A1290FF7763}    2011-06-07 16:55:04:976+0200    1   148 101  {00000000-0000-0000-0000-000000000000} 0   80072ee2    Forefront TMG   Failure Software Synchronization    Windows Update Client failed to detect with error 0x80072ee2.  
2011-06-07  16:55:10:195     824    11f0    Report  CWERReporter::HandleEvents - WER report upload completed with status 0x8  
2011-06-07  16:55:10:195     824    11f0    Report  WER Report sent: 7.5.7601.17514 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Unmanaged  
2011-06-07  16:55:10:195     824    11f0    Report  CWERReporter finishing event handling. (00000000)  `

We have disabled automatic download of updates for now but would be lovely to find a solution for this.

It seems the problem is related to Time Difference between AD and TMG. Whenever the AD clock and TMG clock differs for 5 minutes (Kerberos setting can be changed to allow more time difference) it makes TMG unresponsive. Took us some time and "hangs" to figure it out!

Hope this helps someone else :-)