diff --git a/cmd/aro/update_ocp_versions.go b/cmd/aro/update_ocp_versions.go
index 74a14ca2e72..43e9a72a522 100644
--- a/cmd/aro/update_ocp_versions.go
+++ b/cmd/aro/update_ocp_versions.go
@@ -5,6 +5,8 @@ package main
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"os"
 
@@ -30,19 +32,38 @@ func getLatestOCPVersions(ctx context.Context, log *logrus.Entry) ([]api.OpenShi
 	dstRepo := dstAcr + acrDomainSuffix
 	ocpVersions := []api.OpenShiftVersion{}
 
+	// INSTALLER_IMAGE_DIGESTS is the mapping of a minor version to
+	// the aro-installer wrapper digest.  This allows us to utilize
+	// Azure Safe Deployment Practices (SDP) instead of pushing the
+	// version tag and deploying to all regions at once.
+	var installerImageDigests map[string]string
+	jsonData := []byte(os.Getenv("INSTALLER_IMAGE_DIGESTS"))
+
+	// For Azure DevOps pipelines, the JSON data is Base64-encoded
+	// since it's embedded in JSON-formatted build artifacts.  But
+	// let's not force that on local development mode.
+	if !env.IsLocalDevelopmentMode() {
+		jsonData, err = base64.StdEncoding.DecodeString(string(jsonData))
+		if err != nil {
+			return nil, fmt.Errorf("INSTALLER_IMAGE_DIGESTS: Failed to decode base64: %v", err)
+		}
+	}
+	if err = json.Unmarshal(jsonData, &installerImageDigests); err != nil {
+		return nil, fmt.Errorf("INSTALLER_IMAGE_DIGESTS: Failed to parse JSON: %v", err)
+	}
+
 	for _, vers := range version.HiveInstallStreams {
 		installerPullSpec := fmt.Sprintf("%s/aro-installer:%s", dstRepo, vers.Version.MinorVersion())
-		digest, ok := version.InstallerImageDigest[vers.Version.MinorVersion()]
+		digest, ok := installerImageDigests[vers.Version.MinorVersion()]
 		if !ok {
 			return nil, fmt.Errorf("no digest found for version %s", vers.Version.String())
 		}
 
-		installerPullSpec = fmt.Sprintf("%s@sha256:%s", installerPullSpec, digest)
 		ocpVersions = append(ocpVersions, api.OpenShiftVersion{
 			Properties: api.OpenShiftVersionProperties{
 				Version:           vers.Version.String(),
 				OpenShiftPullspec: vers.PullSpec,
-				InstallerPullspec: installerPullSpec,
+				InstallerPullspec: installerPullSpec + "@" + digest,
 				Enabled:           true,
 			},
 		})
diff --git a/pkg/util/version/const.go b/pkg/util/version/const.go
index d49e0b2e734..93e61f99cdd 100644
--- a/pkg/util/version/const.go
+++ b/pkg/util/version/const.go
@@ -25,14 +25,6 @@ const (
 
 var GitCommit = "unknown"
 
-// InstallerImageDigest is the mapping of a minor version to the aro-installer wrapper digest
-// this allows us to utilize SDP instead of pushing up the tag and it rolling out to all regions
-// at once
-var InstallerImageDigest = map[string]string{
-	NewVersion(4, 10).MinorVersion(): "eef5f0d82ab07c866999f99a632edafd845e0dc48a0f06eac9df46b0ab882231",
-	NewVersion(4, 11).MinorVersion(): "82869dd10841046c4b98fc46c6f87030c82b320b82f990610c1fa87150004730",
-}
-
 // DefaultInstallStream describes stream we are defaulting to for all new clusters
 var DefaultInstallStream = &Stream{
 	Version:  NewVersion(4, 10, 54),