@Brandon Hough Here is the GPO used to grey out Encrypt-Only option in Outlook, we are GCC Semi-Annual Channel v2308. We had to make changes to Outlook Web Access as well to not allow Client Encryption:
Action: Update
Properties: Hive HKEY_CURRENT_USER
Key path: Software\Microsoft\Office\16.0\Common\DRM
Value name: DisableEO
Value type: REG_DWORD
Value data: 0x1 (1)