Windows 2012r2 domain environment and NTLM logins

I would disable all NTLM in my domain environment, but before that I enabled on domain controller NTLM auditing, and I see some events 8004 with my local domain users and computers in these events description. All my clients have Windows 10 installed, so why NTLM is still used in my environment, because it should be used Kerberos as default?

Have a read of Steve Syfus's blog entry here - nothing more needs to be said on the matter. He covers all you need to know as to why somethings are happening and the path forward.

https://syfuhs.net/killing-ntlm-is-hard

Selection of interest:

And why are things using NTLM when they shouldn't? Well, for the two properties I just described.

1. If a client doesn't have line of sight to a DC it can't do Kerberos, so it falls back to NTLM.

2. Server auth is forcing a downgrade to NTLM.

Further upon the second: NTLM doesn't do server authentication, so whatever application or process is not requesting or not handling server authentication, then kerberos can't work and then falls back to NTLM authentication.

In short, you're asking a question that only you can answer. You need to investigate each of the entries in the log and ascertain why kerberos didn't work in each incident, then you can figure out how to fix it, or live with it. If you can remediate them all, then you can disable NTLM.

To find the application which needs NTLM, you could add a test account to the domain group "Protected users" and logon with it and test all your applications one by one. Members off "Protected users" are disallowed to use NTLM, so for them, application authentication should fail straightaway when only NTLM is possible.