PowerShell Script to Check for Legacy Protocols on Domain Controllers
The PowerShell script below can be used to verify that all of the above-mentioned protocols are disabled on domain controllers. When the PowerShell script is finished, it generates a CSV file with the status of all domain controllers for each protocol, which can be seen in the respective protocol column.

Script Requirements: Please ensure that you meet all of the requirements listed below before running the script.

Run the script using a Domain Admin account, as the script will connect to each domain controller in an Active Directory domain to check registry entries and then report the status of the protocols.
Make sure the computer is joined to the domain.

Make sure the C:\Temp directory exists on the computer where the script is executed.
$ResultFile = “C:\Temp\LegacyProtocolsStatus.CSV”
Remove-Item $ResultFile -ErrorAction SilentlyContinue
$STR = “Domain Controller, Connection Status, TLS 1.1 Status, SMB 1 Status, NTLM Status”
Add-Content $ResultFile $STR

$GDCList = “C:\Temp\AllDCs.TXT”
Remove-Item $GDCList -ErrorAction Continue

$R = (Get-ADForest).Domains | % { Get-ADDomainController -Discover -DomainName $_ } | % { Get-ADDomainController -server $_.Name -filter * } | Select HostName, Domain, Forest, IPv4Address, Site
foreach ($Item in $R)
{
Add-Content $GDCList $Item.HostName
}

Foreach ($ItemName in Get-Content “$GDCList”)
{
$TLStatus = “Unknown”
$SMBStatus = “Unknown”
$NTLMStatus = “Unknow”
Write-Host “Checking Connection for Domain Controller: $ItemName”

$Error.Clear()
$ConnectionCheck = Get-WMIObject Win32_Service -computer $ItemName
IF ($Error.Count -ne 0)
{
$STR = $ItemName + “,Connection Error” + $TLStatus + “,” + $SMBStatus + “,” + $NTLMStatus
Add-Content $ResultFile $STR
}
else
{
Write-Host “Connection Success!

Write-Host “Checking TLS 1.1. Status…”
$result = Invoke-Command -ComputerName $ItemName -ScriptBlock {
$supported = [Net.ServicePointManager]::SecurityProtocol
[PsCustomObject]@{
SystemDefault = [bool]($supported -eq 0)
Tls11 = [bool]($supported -band 768)
}
}
$TLStatus = $result.Tls11

Write-Host “Checking SMB 1.0 Status…”
$ThisRegKey = “HKLM:\SYSTEM\CurrentControlSet\Services\LANManServer\Parameters”
$ThisRegEntry = “SMB1”
$Error.Clear()
$dbs = Invoke-Command -ComputerName $ItemName -ScriptBlock { Get-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\LANManServer\Parameters’ -Name “SMB1” }
IF ($Error.Count -eq 0)
{
$CheckValue = $dbs.SMB1
IF ($CheckValue -ne “0”)
{
$SMBStatus = “Enabled”
}
else
{
$SMBStatus = “Disabled”
}
}
else
{
IF ($Error.Exception.Message -match “Property SMB1” -or $Error.Exception.Message -match “Cannot find path”)
{
$SMBStatus = “Enabled”
}
else
{
$SMBStatus = “ConnectionError”
}
}

Write-Host “Checking NTLM Status…”
$ThisRegKey = “HKLM:\SYSTEM\CurrentControlSet\Services\Lsa”
$ThisRegEntry = “LmCompatibilityLevel”
$Error.Clear()
$dbs = Invoke-Command -ComputerName $ItemName -ScriptBlock { Get-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\Lsa’ -Name “LmCompatibilityLevel” }
IF ($Error.Count -eq 0)
{
$CheckValue = $dbs.LmCompatibilityLevel
IF ($CheckValue -ne “5”)
{
$NTLMStatus = “Enabled”
}
else
{
$NTLMStatus = “Disabled”
}
}
else
{
IF ($Error.Exception.Message -match “Property LmCompatibilityLevel” -or $Error.Exception.Message -match “Cannot find path”)
{
$NTLMStatus = “Enabled”
}
else
{
$NTLMStatus = “ConnectionError”
}
}

$STR = $ItemName + “,Connection Ok” + $TLStatus + “,” + $SMBStatus + “,” + $NTLMStatus
Add-Content $ResultFile $STR
}
}

When the above script completes, you will see a report file in “C:Temp LegacyProtocolsStatus.CSV” containing the status of all protocols, as shown in the screenshot below.

Source: https://www.esecurityplanet.com/networks/a-powershell-script-to-mitigate-active-directory-security-risks/