Here is piece of code to extract from AD domain controllers security event logs the authentication protocol NTLM v1:
Get-WinEvent -FilterHashtable @{
Logname=”Security”
ID=4624
Data=”NTLM V1″
} -MaxEvents 1000 | select @{N=”WorkstationName”;E={$_.Properties[11].Value}},
@{N=”Account”;E={$_.Properties[6].Value+”\”+$_.Properties[5].Value}},
@{N=”IPAddress”;E={$_.Properties[18].Value}}
Credit: sgibert from MS
If you don’t detect resources on your network using NTLM v1,
you can enforce by GPO at the domain level to SECURITY OPTIONS: to allow only NTLM v2
