1) Surely this discrepancy depends "NATIVELY" on Microsoft, even if perhaps a further investigation could verify if instead it is not NTLITE that "neglects" some new setting;
2) If this were not the case, perhaps NTLITE (and here I throw it as it comes to mind) could somehow foresee - if not already present now and I ignore it so ... always ready to learn - the possibility of disable the network connection until the first post installation boot (Login screen).
This is the correct idea, but a wrong approach.
When you install an Edge-free image, EdgeUpdate magically re-appears to install the latest browser (105.0.1343.27).
To understand what's happening, you have to read
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
OOBE WU is installing EdgeUpdater as a
mandatory ZDP (Zero Day Package) update. Pre-emptively disabling the network causes all sorts of unintended problems with Setup, and should be avoided.
Tried two different solutions:
1. Bypassing OOBE WU with the localhost WSUS, since your WSUS server is allowed to provide ZDP updates. That didn't work.
2. GPO restrictions on denying Edge updates don't apply here, since we're not inside a joined domain.
Checking
MicrosoftEdgeUpdate.log, we see EdgeUpdater hitting the API endpoint to discover what version of Edge to download. MS documents you have to open the firewall to
allow specific update hosts.
The answer is to first remove the Edge-related components:
Code:
<c>edgeupdate 'Microsoft Edge Update'</c>
<c>microsoft.microsoftedge.stable 'Microsoft Edge (Chromium)'</c>
<c>Microsoft.MicrosoftEdge 'Microsoft Edge (Legacy)'</c>
<c>Microsoft.MicrosoftEdgeDevToolsClient 'MicrosoftEdgeDevToolsClient'</c>
<c>pdfreader 'Windows Reader (PDF)'</c>
Edge (Legacy) is a requirement for some apps, but some of you will insist; and PDF Reader doesn't work w/o Edge.
Then add one line to Windows\System32\etc\hosts:
Code:
127.0.0.1 msedge.api.cdp.microsoft.com
Windows right after install, when you block just the Edge API host:
Windows when you block the entire endpoint list:
Code:
127.0.0.1 msedge.api.cdp.microsoft.com
127.0.0.1 msedge.f.tlu.dl.delivery.mp.microsoft.com msedge.f.dl.delivery.mp.microsoft.com
127.0.0.1 msedge.b.tlu.dl.delivery.mp.microsoft.com msedge.b.dl.delivery.mp.microsoft.com
127.0.0.1 msedge.sf.tlu.dl.delivery.mp.microsoft.com msedge.sf.dl.delivery.mp.microsoft.com
127.0.0.1 msedge.sb.tlu.dl.delivery.mp.microsoft.com msedge.sb.dl.delivery.mp.microsoft.com
PS - I expect all
this to break if you install the next monthly CU (which includes Edge).
UPDATE - After more testing, we only need to block the API host and
not the full Edge hosts list as originally posted.