There should be an IP address associated with the laptop, you could disable the IP from coming in, You could change the Admin password also to ensure they don’t come in with the main account. Disable their VPN account also.
Best of luck,
You can remove them from the Admin group, or better yet setup something to run on the machine the next time it’s booted up after the date in question which grants his login into the deny logon locally privilege. Also disable is Windows login and VPN access at time of termination.
If he really wants to get to the data on the laptop he could simply pull out the hard drive and get the data off it via another machine, or reinstall windows.
Another less conventional approach which you could use would be to use software called Laptop Cop and install it on the machine. After he’s let go, you can contact the customer support department and let them know that you need to delete all the data on the remove laptop. They will be able to turn on this functionally as if the laptop was stolen and you can then delete all the data from the laptop.
(Note that I work for the company which makes Laptop Cop.)