diff --git a/fwprovider/test/resource_container_test.go b/fwprovider/test/resource_container_test.go
index f7bde74d..f54e71bf 100644
--- a/fwprovider/test/resource_container_test.go
+++ b/fwprovider/test/resource_container_test.go
@@ -104,9 +104,11 @@ func TestAccResourceContainer(t *testing.T) {
 				}`, WithRootUser()),
 				Check: resource.ComposeTestCheckFunc(
 					ResourceAttributes(accTestContainerName, map[string]string{
-						"description":            "my\ndescription\nvalue\n",
-						"device_passthrough.#":   "1",
-						"initialization.0.dns.#": "0",
+						"unprivileged":              "true",
+						"description":               "my\ndescription\nvalue\n",
+						"device_passthrough.#":      "1",
+						"device_passthrough.0.mode": "0660",
+						"initialization.0.dns.#":    "0",
 					}),
 					func(*terraform.State) error {
 						ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
diff --git a/proxmoxtf/resource/container/container.go b/proxmoxtf/resource/container/container.go
index b88cc5c6..3ea7949a 100644
--- a/proxmoxtf/resource/container/container.go
+++ b/proxmoxtf/resource/container/container.go
@@ -50,6 +50,7 @@ const (
 	dvCPUCores                          = 1
 	dvCPUUnits                          = 1024
 	dvDescription                       = ""
+	dvDevicePassthroughMode             = "0660"
 	dvDiskDatastoreID                   = "local"
 	dvDiskSize                          = 4
 	dvFeaturesNesting                   = false
@@ -710,6 +711,7 @@ func Container() *schema.Resource {
 							Type:        schema.TypeString,
 							Description: "Access mode to be set on the device node (e.g. 0666)",
 							Optional:    true,
+							Default:     dvDevicePassthroughMode,
 							ValidateDiagFunc: validation.ToDiagFunc(validation.StringMatch(
 								regexp.MustCompile(`0[0-7]{3}`), "Octal access mode",
 							)),
@@ -2376,7 +2378,7 @@ func containerRead(ctx context.Context, d *schema.ResourceData, m interface{}) d
 		if dp.Mode != nil {
 			devicePassthrough[mkDevicePassthroughMode] = *dp.Mode
 		} else {
-			devicePassthrough[mkDevicePassthroughMode] = ""
+			devicePassthrough[mkDevicePassthroughMode] = dvDevicePassthroughMode
 		}
 
 		devicePassthrough[mkDevicePassthroughPath] = dp.Path
@@ -2744,6 +2746,21 @@ func containerRead(ctx context.Context, d *schema.ResourceData, m interface{}) d
 		diags = append(diags, diag.FromErr(err)...)
 	}
 
+	currentUnprivileged := types.CustomBool(d.Get(mkUnprivileged).(bool))
+
+	if len(clone) == 0 || currentUnprivileged {
+		if containerConfig.Unprivileged != nil {
+			e = d.Set(
+				mkUnprivileged,
+				bool(*containerConfig.Unprivileged),
+			)
+		} else {
+			e = d.Set(mkUnprivileged, false)
+		}
+
+		diags = append(diags, diag.FromErr(e)...)
+	}
+
 	currentProtection := types.CustomBool(d.Get(mkProtection).(bool))
 
 	if len(clone) == 0 || currentProtection {