Ned Pyle has ensured there is a Event-log that details any attempts to communicate with SMB1 (incase this still is enabled on your endpoint). It exists both for SMBServer and SMBClient
See his great post for specifics regarding the event;
In Windows 10/Server Ver 1709 (i.e. Fall Creators/RS3), we added auditing of SMB1 *client*. If SMB1 client installed, we write Microsoft-Windows-SMBClient/Audit event 32002 when the device is told by remote server "I require SMB1, I am scum!" See?
— Ned Pyle (@NerdPyle) February 23, 2018
Caveats though. 1/N pic.twitter.com/5yhXxkG0lN
As of Configuration Manager (or MECM) 1910 you can utilize CMPivot to query all Event-logs (previously only a subset where available is only the Get-WinEventLog cmdl:et was used) – including SMBClient/Audit.
Sample query – summarized the number of events 30 days backwards per client
WinEvent('Microsoft-Windows-SmbClient/Audit', 30d)
| where ID == 32002
| summarize count() by Device
Sample query – device, date and message
WinEvent('Microsoft-Windows-SmbClient/Audit', 30d)
| where ID == 32002
| project device, datetime, Message
In addition you can create a collection of the clients you found;
Or if it needs to be pretty;
WinEvent('Microsoft-Windows-SmbClient/Audit', 30d)
| where ID == 32002
| summarize count() by Device
| render barchart with (kind=stacked, title='SMB1 Events', ytitle='Events')
