diff --git a/src/windows/wslaservice/exe/WSLAVirtualMachine.cpp b/src/windows/wslaservice/exe/WSLAVirtualMachine.cpp
index f781059a0..5ff6ce5c6 100644
--- a/src/windows/wslaservice/exe/WSLAVirtualMachine.cpp
+++ b/src/windows/wslaservice/exe/WSLAVirtualMachine.cpp
@@ -872,6 +872,9 @@ Microsoft::WRL::ComPtr<WSLAProcess> WSLAVirtualMachine::CreateLinuxProcessImpl(
     // std::thread::joinable() is const, so this can be called without acquiring the lock.
     THROW_HR_IF(HRESULT_FROM_WIN32(ERROR_INVALID_STATE), !m_processExitThread.joinable());
 
+    THROW_WIN32_IF_MSG(
+        ERROR_NOT_SUPPORTED, Options.User != nullptr, "Custom users are not supported for root namespace processes");
+
     auto setErrno = [Errno](int Error) {
         if (Errno != nullptr)
         {
diff --git a/test/windows/WSLATests.cpp b/test/windows/WSLATests.cpp
index 463b47ca1..92931d7ad 100644
--- a/test/windows/WSLATests.cpp
+++ b/test/windows/WSLATests.cpp
@@ -1304,6 +1304,15 @@ class WSLATests
             auto process = launcher.Launch(*m_defaultSession);
             ValidateProcessOutput(process, {{1, "foo  bar\n"}}); // expect two spaces for the empty argument.
         }
+
+        // Validate error paths
+        {
+            WSLAProcessLauncher launcher("/bin/bash", {"/bin/bash"});
+            launcher.SetUser("nobody"); // Custom users are not supported for root namespace processes.
+
+            auto [hresult, error, process] = launcher.LaunchNoThrow(*m_defaultSession);
+            VERIFY_ARE_EQUAL(hresult, HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED));
+        }
     }
 
     TEST_METHOD(CrashDumpCollection)
@@ -1534,6 +1543,19 @@ class WSLATests
             ValidateProcessOutput(process, {{1, "nobody\n"}});
         }
 
+        // Validate that the group is correctly wired.
+        {
+            WSLAContainerLauncher launcher("debian:latest", "test-group", {"groups"});
+
+            launcher.SetUser("nobody:www-data");
+
+            auto container = launcher.Launch(*m_defaultSession);
+            auto process = container.GetInitProcess();
+            ValidateProcessOutput(process, {{1, "www-data\n"}});
+        }
+
+        // TODO: Add test coverage for error message when the user / group doesn't exist.
+
         // Validate that empty arguments are correctly handled.
         {
             WSLAContainerLauncher launcher("debian:latest", "test-empty-args", {"echo", "foo", "", "bar"});
@@ -2017,6 +2039,15 @@ class WSLATests
             ValidateProcessOutput(process, {{1, "nobody\n"}});
         }
 
+        // Validate that the group is correctly wired.
+        {
+            WSLAProcessLauncher launcher({}, {"groups"});
+            launcher.SetUser("nobody:www-data");
+
+            auto process = launcher.Launch(container.Get());
+            ValidateProcessOutput(process, {{1, "www-data\n"}});
+        }
+
         // Validate that stdin is correctly wired.
         {
             auto process = WSLAProcessLauncher({}, {"/bin/cat"}, {}, WSLAProcessFlagsStdin).Launch(container.Get());