Get this document and read about "Common Criteria EAL4 Mode Operation"
If you follow recommendations, then you should be good.
We have EEPC running on over 5,000 machines. In the past year we also have had some machines lost or stolen. EEPC is the enterprise solution which we researched over two years. We have had no compromised data that we are aware of from any EEPC protected machine. Here is the weakness which we have noticed, and it is NOT with the product, it is with our employees. I have personally received laptops from end-uses who for one reason or another can no longer access their EEPC machine. One example include a note in the laptop case with the userID and password scribbled on a small piece of paper - EEPC can't stop access to a would-be thief if you give them your loginID and password. Another situation which you should be aware of is that sometimes when one of our techs (we have almost 200 techs) has to re-build a machine they might not reinstall EEPC. That problem is compounted because the machine WAS previously encrypted and the EEM shows the status as being fully encrypted, however because the tech did not remove the machine object and did not reinstall the program - our reporting is not accurate. This is a problem if that specific machine is lost or stolen before we identify it as not having EEPC currently installed.
For user non-compliance there is really no bullet-proof solution...
As for machines, rely on audit log information more and catch machines that do not synch regularly or have wrong audit time stamps.
Another note, if you are using ePO for EEPC Deployment and Reporting you can identify quickly any machine that is rebuilt that does not have the encryption software installed as well as the disk status.
If you don't have ePO I know a few Sales guys that would love to hear from you. j/k