How to secure a remote laptop when the employee is being terminated?

I have a remote user in another state who has a company Windows computer. We have a typical AD and VPN setup. What is the best way to ensure this user would not be able to login to their computer after they are terminated? Sure I can disable their account, but they may be able to login with their locally cached profile.

They will be on their computer and the VPN when they meet with HR. I can use CMD/Powershell through our RMM, or just remote in via ScreenConnect backstage and access CMD from there. Would disabling their AD account then running a gpupdate on their PC via CMD do the trick?

Wipe the Bitlocker Keys and Reboot. Should take only moments and then you can unlock the PC via bitlocker recovery later.

Script to do just this:

$TpmProtectorID = ((Get-BitLockerVolume -MountPoint c).KeyProtector | Where-Object KeyProtectorType -EQ 'Tpm').KeyProtectorID

Remove-BitLockerKeyProtector -MountPoint c -KeyProtectorId $TpmProtectorID
Restart-Computer -Force

This seems like the best option and the one I’m going to go with. In this instance, I know the person will be on their laptop and I can run this via our RMM. Run this, disable all their stuff, easy.

Redo bitlocker when laptop is received and re-issue.

That’s a fantastic idea.

If WFH staff remote device is online, wipe Bitlocker keys and reboot.

What to do if remote WFH device is not online? Perhaps leave VPN and AD account enabled and change logon script (assuming on-domain remote WFH device) to wipe Bitlocker keys and reboot, then disable AD account?

Wonder what edge case I’m missing here?

If you have the devices uploaded to intune as well, you can just initiate a remote wipe without the device needing to be connected to the VPN.

Kill their AD account and VPN access so they cannot get to company resources and then let legal/HR deal with getting the equipment back. I think based on what I am dealing with and what others have posted in this sub, our IT departments are running thin both headcount and funding, we dont have time to do anything beyond ensuring information security/business continuity. Let HR/legal be the ones to advise of the consequences of destroyed or missing hardware.

Could send out a forced reinstall of the OS to it that would reboot the pc within 2 hours or X time if nothing too important is on it.

RDP as admin to it and force a logout then remove his cached profile could maybe work?

If he’s logged in send a remote reboot and then login to the pc as admin remotely to remove cached profile?

Just ideas not sure if they work for you just some on top of my head.