Disk encryption is growing in popularity as a means of better-securing laptops and desktops. Microsoft is offering BitLocker natively in Windows 10. Microsoft Endpoint Configuration Manager has a built-in BitLocker Administration console. If you don't have SCCM, then Microsoft offers the MBAM console to manage encryption.
The premise of BitLocker is that the data and possibly the OS drives are encrypted. If you give a teacher or administrator a laptop that leaves the district, that drive is gibberish without credentials. If a bad guy steals the laptop and pulls out the drive to plug it in externally, they will see absolutely nothing. If a student attempts to boot a desktop in a lab with a Windows To Go USB stick to get underneath the OS to hack the device, they will see nothing and won't be able to access anything.
If you haven't already, I encourage you to start a pilot implementation of BitLocker deploys and roll it out to all your endpoints as soon as you are comfortable with it starting with the laptops that leave the district and then following up with the district desktops.
If you need help sorting this out, give us a call.