18.104.22.168.4 Encrypting the Message
If Connection.Dialect belongs to the SMB 3.x dialect family and Connection.ClientCapabilities includes the SMB2_GLOBAL_CAP_ENCRYPTION bit, the server MUST encrypt the message before sending, if any of the following conditions are satisfied:
If the message being sent is any response to a client request for which Request.IsEncrypted is TRUE.
If Session.EncryptData is TRUE and the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP.
If Session.EncryptData is FALSE, the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and Share.EncryptData for the share associated with the TreeId in the SMB2 header of the response is TRUE.
The server MUST encrypt the message as specified in section 22.214.171.124, before sending it to the client.