I imagine the 'donotencrypt' tagged systems are currently being manually tagged?
I don't suppose that these systems all have certain computer properties in common such as: is Server, IP range or OS that you could use with Tag Criteria?
If so this would be a good way of ensuring duplicates have the correct tags applied on every agent to server communication.
You can use a server task to export a query to file as a csv then use the server task load systems to apply an action. You would only be able to export the devices names, not the tags. So a query per tag.