Here is piece of code to extract from AD domain controllers security event logs the authentication protocol NTLM v1:

Get-WinEvent -FilterHashtable @{



Data=”NTLM V1″

} -MaxEvents 1000 | select @{N=”WorkstationName”;E={$_.Properties[11].Value}},



Credit: sgibert from MS

If you don’t detect resources on your network using NTLM v1,

you can enforce by GPO at the domain level to SECURITY OPTIONS: to allow only NTLM v2