Here is piece of code to extract from AD domain controllers security event logs the authentication protocol NTLM v1:

Get-WinEvent -FilterHashtable @{

Logname=”Security”

ID=4624

Data=”NTLM V1″

} -MaxEvents 1000 | select @{N=”WorkstationName”;E={$_.Properties[11].Value}},

@{N=”Account”;E={$_.Properties[6].Value+”\”+$_.Properties[5].Value}},

@{N=”IPAddress”;E={$_.Properties[18].Value}}

Credit: sgibert from MS

If you don’t detect resources on your network using NTLM v1,

you can enforce by GPO at the domain level to SECURITY OPTIONS: to allow only NTLM v2