diff --git a/staging/cse/windows/configfunc.ps1 b/staging/cse/windows/configfunc.ps1
index a921e1981a5..49ea6bec49d 100644
--- a/staging/cse/windows/configfunc.ps1
+++ b/staging/cse/windows/configfunc.ps1
@@ -396,6 +396,32 @@ providers:
     apiVersion: credentialprovider.kubelet.k8s.io/v1
     args:
       - $azureConfigFile
+"@
+    }
+    elseif (![string]::IsNullOrEmpty($global:BootstrapProfileContainerRegistryServer)) {
+        $mcrRegistry = if ((Test-Path variable:global:MCRRepositoryBase) -and
+            -not [string]::IsNullOrEmpty($global:MCRRepositoryBase)) {
+            ([string]$global:MCRRepositoryBase).TrimEnd("/")

+        }
+        else {
+            "mcr.microsoft.com"
+        }
+        $credentialProviderConfig = @"
+apiVersion: kubelet.config.k8s.io/v1
+kind: CredentialProviderConfig
+providers:
+  - name: acr-credential-provider
+    matchImages:
+        - "*.azurecr.io"
+        - "*.azurecr.cn"
+        - "*.azurecr.de"
+        - "*.azurecr.us"
+        - "${mcrRegistry}"
+    defaultCacheDuration: "10m"
+    apiVersion: credentialprovider.kubelet.k8s.io/v1
+    args:
+        - $azureConfigFile
+        - --registry-mirror=${mcrRegistry}:{$global:BootstrapProfileContainerRegistryServer}
 "@
     }
     $credentialProviderConfig | Out-File -encoding ASCII -filepath "$CredentialProviderConfPATH"
diff --git a/staging/cse/windows/configfunc.tests.ps1 b/staging/cse/windows/configfunc.tests.ps1
index 86af4728313..3ff6d5727ea 100644
--- a/staging/cse/windows/configfunc.tests.ps1
+++ b/staging/cse/windows/configfunc.tests.ps1
@@ -153,6 +153,61 @@ Describe 'Config-CredentialProvider' {
             $normalizedActual | Should -Be $normalizedExpected
        }
     }
+    Context 'BootstrapProfileContainerRegistryServer is set with default MCR' {
+        BeforeEach {
+            $global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io"
+            # Ensure MCRRepositoryBase is not set so it falls back to mcr.microsoft.com
+            Remove-Variable -Name MCRRepositoryBase -Scope Global -ErrorAction SilentlyContinue
+        }
+        AfterEach {
+            $global:BootstrapProfileContainerRegistryServer = $null
+        }
+        It "should include mcr.microsoft.com in matchImages and registry-mirror arg" {
+            $expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "BootstrapProfileContainerRegistryServerDefault.config.yaml"))
+            Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix ""
+            $acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH
+
+            $normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n")
+            $normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n")
+            $normalizedActual | Should -Be $normalizedExpected
+        }
+    }
+    Context 'BootstrapProfileContainerRegistryServer is set with custom MCRRepositoryBase' {
+        BeforeEach {
+            $global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io"
+            $global:MCRRepositoryBase = "custom.mcr.contoso.com"
+        }
+        AfterEach {
+            $global:BootstrapProfileContainerRegistryServer = $null
+            $global:MCRRepositoryBase = $null
+        }
+        It "should use custom MCRRepositoryBase in matchImages and registry-mirror arg" {
+            $expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "BootstrapProfileContainerRegistryServerCustomMCR.config.yaml"))
+            Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix ""
+            $acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH
+
+            $normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n")
+            $normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n")
+            $normalizedActual | Should -Be $normalizedExpected
+        }
+    }
+    Context 'CustomCloudContainerRegistryDNSSuffix takes precedence over BootstrapProfileContainerRegistryServer' {
+        BeforeEach {
+            $global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io"
+        }
+        AfterEach {
+            $global:BootstrapProfileContainerRegistryServer = $null
+        }
+        It "should use CustomCloud config and not include registry-mirror when both are set" {
+            $expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "CustomCloudContainerRegistryDNSSuffixNotEmpty.config.yaml"))
+            Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix ".azurecr.microsoft.fakecloud"
+            $acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH
+
+            $normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n")
+            $normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n")
+            $normalizedActual | Should -Be $normalizedExpected
+        }
+    }
 }
 
 Describe 'Validate-CredentialProviderConfigFlags' {
diff --git a/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerCustomMCR.config.yaml b/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerCustomMCR.config.yaml
new file mode 100644
index 00000000000..d93f17d531f
--- /dev/null
+++ b/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerCustomMCR.config.yaml
@@ -0,0 +1,15 @@
+apiVersion: kubelet.config.k8s.io/v1
+kind: CredentialProviderConfig
+providers:
+  - name: acr-credential-provider
+    matchImages:
+        - "*.azurecr.io"
+        - "*.azurecr.cn"
+        - "*.azurecr.de"
+        - "*.azurecr.us"
+        - "custom.mcr.contoso.com"
+    defaultCacheDuration: "10m"
+    apiVersion: credentialprovider.kubelet.k8s.io/v1
+    args:
+        - staging\cse\windows\credentialProvider.tests.suites\azure.json
+        - --registry-mirror=custom.mcr.contoso.com:myregistry.azurecr.io
diff --git a/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerDefault.config.yaml b/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerDefault.config.yaml
new file mode 100644
index 00000000000..9485308eab9
--- /dev/null
+++ b/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerDefault.config.yaml
@@ -0,0 +1,15 @@
+apiVersion: kubelet.config.k8s.io/v1
+kind: CredentialProviderConfig
+providers:
+  - name: acr-credential-provider
+    matchImages:
+        - "*.azurecr.io"
+        - "*.azurecr.cn"
+        - "*.azurecr.de"
+        - "*.azurecr.us"
+        - "mcr.microsoft.com"
+    defaultCacheDuration: "10m"
+    apiVersion: credentialprovider.kubelet.k8s.io/v1
+    args:
+        - staging\cse\windows\credentialProvider.tests.suites\azure.json
+        - --registry-mirror=mcr.microsoft.com:myregistry.azurecr.io