GPO Settings Stay After Removal from Domain

You don't have to join a domain to use WSUS. Just point the client against WSUS (http://technet.microsoft.com/en-us/library/dd939844(v=ws.10).aspx).

And if you doubt - We are doing WSUS updates on standalone computers via MDT. Works like a charm.

The easiest thing to do is to move the object to a separate OU that has inheritance blocked. Then run a 'gpupdate /force'. And then remove it from the domain. Any setting that is under Administrative Templates (as well as many others, including Windows Settings\Security Settings) will go back to "Not Configured" after this.

This is intended behavior. Removing a GPO doesn't magically revert the settings made in the GPO.

The way I'd handle this to create a GPO with the settings you want to the machine to have once it's unjoined, apply that GPO to the machine, force a group policy update and then unjoin it from the domain.

Or just image the machine to a state before it's domain joined; both appraoches are pretty easy and low on effort.

The other, much suckier way of handling this is to hunt down the registry keys set by the GPOs and manually change them. This is time-consuming and dangerous, however, and I wouldn't do it unless I had a gun to my head.

Now, having said that, I'd just like to point out that I can't imagine a sane use-case for joining a machine to a domain just to get Windows Updates, and then unjoining it, so I'd say there's something very not right with that whole process, and you might be better suited fixing that mess than dealing with the GPOs, which is just a symptom of this silly procedure.