In the Administering Windows Server Hybrid Core Infrastructure materials under Hyper-V management, Microsoft specifies that Enhanced Session Mode changes VMConnect from a raw console attach to a connection that uses Remote Desktop Protocol (RDP) to the guest. The guide states that Enhanced Session Mode “uses RDP to establish the VMConnect session so the user must supply credentials for a logon to the guest operating system,” and further that it “prevents a second administrator from inheriting an already signed-in console session” because the connection is treated as a new interactive sign-in. In contrast, the default basic console session “attaches directly to the active console without prompting for credentials,” which is exactly the current problem described for VM2.

The same objective area clarifies that other options do not meet the requirement: Guest Services integration only enables file copy and certain host-guest interactions; Credential Guard protects secrets inside Windows by isolating LSASS but does not affect Hyper-V console connection behavior; Shielded VMs provide fabric-level protections and encryption but are not required merely to force credential prompts for VMConnect.

Therefore, to force users to provide credentials when they connect to VM2 and to eliminate inherited console sessions, you should enable Enhanced Session Mode on the Hyper-V host (and ensure the guest supports RDP).