![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
If you want to confirm that any computers domain-wide are still using NTLM v1, you can edit the default domain policy on the domain controller. The default domain policy is a predefined Group Policy Object (GPO) that applies to all computers and users throughout the domain. You no longer need to enable these group policies individually for all Windows servers and workstations in the AD domain.
In Group Policy Editor, navigate to the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options path, and then configure the following policy:
Network Security: LAN Manager Authentication Level: Set the authentication level to disable NTLMv1, such as "Send NTLMv2 response only, deny LM & NTLM". When a client or service trying to use NTLMv1 is rejected, the system logs relevant events (such as event ID 4625, login failed) and mentions in the event details that the reason for the authentication failure is related to NTLMv1. By analyzing these failed login events, you can identify which clients or services are still trying to use NTLMv1.
Also navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies
Audit: Audit login events: set to "success" and "failure". When this setting is enabled, the system logs login events for successful or failed attempts, including login attempts using NTLMv1.
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.