How to prevent NTLM login

I have continues login request on windows server 2016. Each time it requested different IP address,also the countries where we don't have user for sure,because we have only a 10 users in one country in one office only,we sure all in One country . I know our server should have only specific IP address of One country,but why below log with different countries IP we got

We have trying to prevent this.

Why or what is below login?

If we prevent below, can we still have access to server on RDP? we need RDP still...

in event viewer server log.

An account failed to log on.

Subject:
Security ID:        NULL SID
Account Name:       -
Account Domain:     -
Logon ID:       0x0

Logon Type:         3

 Account For Which Logon Failed:
  Security ID:      NULL SID
    Account Name:       Versand
    Account Domain:     

 Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xC000006D
    Sub Status:     0xC0000064

   Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

 Network Information:
    Workstation Name:   workstation
    Source Network Address: xxx.x.x.x.x
    Source Port:        0

  Detailed Authentication Information:
    Logon Process:      NtLmSsp 
      Authentication Package:   NTLM
        Transited Services: -
        Package Name (NTLM only):   -
       Key Length:      0

NTLM is just the authentication protocol on Windows domain network and it is still widely used in comparison Kerberos which is a newer protocol released by Microsoft. Disabling NTLM will mean you prevent any users using that protocol to connect. One option is to disable NTLM and use Kerberos but that means all your users must be configured to use Kerberos as well.

Check out this page for more info: http://woshub.com/disable-ntlm-authentication-windows/

Rather than going through that I would recommend that you restrict the IP address that can connect through RDP if you know the IP addresses of all 10 users.

Open Windows Firewall with Advanced Security, click on Inbound Rules and locate the RDP rule and right click and then Properties and click on the Scope tab. There in the Remote IP Addresses section you should be able to manually add the IP addresses of your users that should be able to connect. Any IP address not within the scope will not be able to connect.

Reference: https://support.managed.com/kb/a2499/restrict-rdp-access-by-ip-address.aspx

Also, you pointed out that the logon attempts were from different countries so you can't eliminate the possibility that users were using VPNs.