Hello,
NT LAN Manager (including LM, NTLM v1, v2, and NTLM2) is enabled and active in Server 2016 by default, as its still used for local logon (on non-domain controllers) and workgroup logon authentication in Server 2016. You can restrict and/or disable NTLM authentication via Group Policy following the steps:
Open the Group Policy Management Editor ( gpmc. msc ) and edit the Default Domain Controllers Policy. Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policies:
Network Security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
Network Security: Restrict NTLM: NTLM authentication in this domain: Deny for Domain Accounts to Domain Servers.
Network security: Restrict NTLM: Audit Incoming NTLM Traffic: Enable auditing for all accounts
Regarding RDP, it will use NTLM as default is not blocked, but when blocked it will connect using Kerberos authentication as long the client supports it. By default Microsoft Remote Desktop app will support it, but bear in mind that other 3rd party RDP Clients may not support the use of Kerberos only.
Other option would be to use the CredSSP protocol which would allow the delegation of local credentials into a second machine, also called "2nd Hop". I am adding the next article as reference for your information:
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer–