Hi,
Both of your scenarios are supported.
"When you enable encryption at host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. The data for your temporary disk and OS/data disk caches are stored on that VM host. After enabling encryption at host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. Essentially, encryption at host encrypts your data from end-to-end. Encryption at host does not use your VM's CPU and doesn't impact your VM's performance."
I believe what changes here is that encryption is delivered by the virtual machine host instead of on the storage cluster where the data is at rest.
You can enable encryption at host at the time of deployment or later regardless of whether using SSE with PMK or SSE with CMK. ADE is not supported as you mentioned.