diff --git a/data/data/bootstrap/files/etc/containers/registries.conf.template b/data/data/bootstrap/files/etc/containers/registries.conf.template
index 56b7d19bc17..37f2ecf3596 100644
--- a/data/data/bootstrap/files/etc/containers/registries.conf.template
+++ b/data/data/bootstrap/files/etc/containers/registries.conf.template
@@ -3,6 +3,7 @@
 location = "{{ $r.Endpoint.Location }}"
 insecure = {{ $r.Endpoint.Insecure }}
 mirror-by-digest-only = {{ $r.MirrorByDigestOnly }}
+blocked = {{ $r.Blocked }}
 
 {{ range $m := $r.Mirrors -}}
 [[registry.mirror]]
diff --git a/pkg/asset/agent/mirror/registriesconf.go b/pkg/asset/agent/mirror/registriesconf.go
index d7a1c6c1882..c035a4cbbdd 100644
--- a/pkg/asset/agent/mirror/registriesconf.go
+++ b/pkg/asset/agent/mirror/registriesconf.go
@@ -12,6 +12,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/agent"
 	"github.com/openshift/installer/pkg/asset/agent/joiner"
@@ -220,6 +221,7 @@ func (i *RegistriesConf) generateRegistriesConf(imageDigestSources []types.Image
 		registry := sysregistriesv2.Registry{}
 		registry.Endpoint.Location = group.Source
 		registry.MirrorByDigestOnly = true
+		registry.Blocked = group.SourcePolicy == configv1.NeverContactSource
 		for _, mirror := range group.Mirrors {
 			registry.Mirrors = append(registry.Mirrors, sysregistriesv2.Endpoint{Location: mirror})
 		}
diff --git a/pkg/asset/ignition/bootstrap/common.go b/pkg/asset/ignition/bootstrap/common.go
index f5b7b667d32..429968952bf 100644
--- a/pkg/asset/ignition/bootstrap/common.go
+++ b/pkg/asset/ignition/bootstrap/common.go
@@ -308,6 +308,7 @@ func (a *Common) getTemplateData(dependencies asset.Parents, bootstrapInPlace bo
 		registry := sysregistriesv2.Registry{}
 		registry.Endpoint.Location = group.Source
 		registry.MirrorByDigestOnly = true
+		registry.Blocked = group.SourcePolicy == configv1.NeverContactSource
 		for _, mirror := range group.Mirrors {
 			registry.Mirrors = append(registry.Mirrors, sysregistriesv2.Endpoint{Location: mirror})
 		}
diff --git a/pkg/asset/ignition/bootstrap/registries.go b/pkg/asset/ignition/bootstrap/registries.go
index abace92856f..f15b8295fbd 100644
--- a/pkg/asset/ignition/bootstrap/registries.go
+++ b/pkg/asset/ignition/bootstrap/registries.go
@@ -3,33 +3,42 @@ package bootstrap
 import (
 	"k8s.io/apimachinery/pkg/util/sets"
 
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/installer/pkg/types"
 )
 
+// sourceSetKey represents the set of fields that have to be unique to form
+// a merged list without duplicate entries for Image sources.
+type sourceSetKey struct {
+	Source       string
+	SourcePolicy configv1.MirrorSourcePolicy
+}
+
 // MergedMirrorSets consolidates a list of ImageDigestSources so that each
 // source appears only once.
 func MergedMirrorSets(sources []types.ImageDigestSource) []types.ImageDigestSource {
-	sourceSet := make(map[string][]string)
-	mirrorSet := make(map[string]sets.String)
-	orderedSources := []string{}
+	sourceSet := make(map[sourceSetKey][]string)
+	mirrorSet := make(map[sourceSetKey]sets.Set[string])
+	orderedSources := []sourceSetKey{}
 
 	for _, group := range sources {
-		if _, ok := sourceSet[group.Source]; !ok {
-			orderedSources = append(orderedSources, group.Source)
-			sourceSet[group.Source] = nil
-			mirrorSet[group.Source] = sets.NewString()
+		key := sourceSetKey{Source: group.Source, SourcePolicy: group.SourcePolicy}
+		if _, ok := sourceSet[key]; !ok {
+			orderedSources = append(orderedSources, key)
+			sourceSet[key] = nil
+			mirrorSet[key] = sets.New[string]()
 		}
 		for _, mirror := range group.Mirrors {
-			if !mirrorSet[group.Source].Has(mirror) {
-				sourceSet[group.Source] = append(sourceSet[group.Source], mirror)
-				mirrorSet[group.Source].Insert(mirror)
+			if !mirrorSet[key].Has(mirror) {
+				sourceSet[key] = append(sourceSet[key], mirror)
+				mirrorSet[key].Insert(mirror)
 			}
 		}
 	}
 
 	out := []types.ImageDigestSource{}
 	for _, source := range orderedSources {
-		out = append(out, types.ImageDigestSource{Source: source, Mirrors: sourceSet[source]})
+		out = append(out, types.ImageDigestSource{Source: source.Source, Mirrors: sourceSet[source], SourcePolicy: source.SourcePolicy})
 	}
 	return out
 }
diff --git a/pkg/asset/ignition/bootstrap/registries_test.go b/pkg/asset/ignition/bootstrap/registries_test.go
index aaf44c376d6..f9a0a1ffd0d 100644
--- a/pkg/asset/ignition/bootstrap/registries_test.go
+++ b/pkg/asset/ignition/bootstrap/registries_test.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/installer/pkg/types"
 )
 
@@ -117,6 +118,33 @@ func TestMergedMirrorSets(t *testing.T) {
 			Source:  "b",
 			Mirrors: []string{"md", "mc"},
 		}},
+	}, {
+		input: []types.ImageDigestSource{{
+			Source:       "a",
+			Mirrors:      []string{"ma"},
+			SourcePolicy: configv1.NeverContactSource,
+		}, {
+			Source:       "b",
+			Mirrors:      []string{"md", "mc"},
+			SourcePolicy: configv1.NeverContactSource,
+		}, {
+			Source:       "a",
+			Mirrors:      []string{"mb", "ma"},
+			SourcePolicy: configv1.AllowContactingSource,
+		}},
+		expected: []types.ImageDigestSource{{
+			Source:       "a",
+			Mirrors:      []string{"ma"},
+			SourcePolicy: configv1.NeverContactSource,
+		}, {
+			Source:       "b",
+			Mirrors:      []string{"md", "mc"},
+			SourcePolicy: configv1.NeverContactSource,
+		}, {
+			Source:       "a",
+			Mirrors:      []string{"mb", "ma"},
+			SourcePolicy: configv1.AllowContactingSource,
+		}},
 	}}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
diff --git a/pkg/asset/imagebased/image/registriesconf.go b/pkg/asset/imagebased/image/registriesconf.go
index 133bd869a6c..529df4a5e54 100644
--- a/pkg/asset/imagebased/image/registriesconf.go
+++ b/pkg/asset/imagebased/image/registriesconf.go
@@ -6,6 +6,7 @@ import (
 	"github.com/containers/image/v5/pkg/sysregistriesv2"
 	"github.com/pelletier/go-toml"
 
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/ignition/bootstrap"
 	"github.com/openshift/installer/pkg/types"
@@ -73,6 +74,7 @@ func (i *RegistriesConf) generateRegistriesConf(imageDigestSources []types.Image
 		registry := sysregistriesv2.Registry{}
 		registry.Endpoint.Location = group.Source
 		registry.MirrorByDigestOnly = true
+		registry.Blocked = group.SourcePolicy == configv1.NeverContactSource
 		for _, mirror := range group.Mirrors {
 			registry.Mirrors = append(registry.Mirrors, sysregistriesv2.Endpoint{Location: mirror})
 		}