If there's ransomware on an employees's laptop you simply throw it away and give them another one. And have them go through a lot of security training after.
Assuming they were the weakness. It might be that patching velocity was the reason the laptop became infected. Where I work that is managed via patch management software not the end-user.