If the device is wired to the LAN, the admin logon authenticates the user with the domain server, and thus decrypts the files using the credentials that are stored server-side.
If the drive would be fully encrypted, you’d have to enter a password each time you boot the machine. That can be done, but is really not all that practical, especially not when working with a domain server / remote admin.
For a private computer, you can have a look at Veracrypt (FOSS) if you want to have a fully encrypted drive.