How can I prevent a computer from turning ON?
Out-of-band management
Intel Management Engine and amd DASH are separate microprocessors that remotely manage enterprise PCs. They run with Ring
-3 privilege on the machine and run outside of host OS.
It can lock stolen devices, remotely erase data, track location, wake on LAN and wake on wireless LAN, control host OS and detect third party live USB boots.
It is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. [1]
As it requires a power source, in enterprise Desktops, keeping the switch on is enough for motherboard to draw power as shutting down the host OS does not shut down the AC power supply to the power supply unit of the motherboard.
There is no way to disable it from UEFI. Removing the microprocessor or modifying its firmware which is stored in UEFI will prevent system to boot. Disabling secure boot or using custom UEFI keys will not disable its firmware verification.
This is how Intel verifies it, amd's implementation could be different:
The ME firmware is verified by a secret boot ROM embedded in the chipset that first checks that the SHA256 checksum of the public key matches the one from the factory, and then verifies the RSA signature of the firmware payload by recalculating it and comparing to the stored signature. This means that there is no obvious way to bypass the signature checking, since the checking is done by code stored in a ROM buried in silicon, even though we have the public key and signature. [1]
Once stolen devices are locked, they don't respond to power button signal. In old motherboards with BIOS, they used to respond but immediately shut themselves down.
Consumer PCs also have Intel Management Engine microprocessor and Intel Management Engine Interface driver pre-installed in Windows but Intel Active Management Technology software is not installed by OEMs in consumer PCs.
Can it be reversed, or will this brick the device?
If the device is locked by the remote administrator, it can unlock it using wake on LAN and a specific unlock instruction to the chip. This is how my organisation used to handle enterprise laptops with sensitive data. The chip is bounded with its firmware in UEFI, hardcoded with chipmaker's public key and is probably hardwired to the motherboard in order to brick the device if chip is removed. Intel is secretive about its implementation.
That didn't stop researchers to partially disable it from its firmware:
Disable Intel’s Backdoor On Modern Hardware (2020)
Researchers discovered an undocumented configuration setting that can used to disable the Intel ME master controller that has been likened to a backdoor. (2017)
Out-of-band management
[1] Intel x86s hide another CPU that can take over your machine (you can't audit it)
defalt's answer is very good but additionally, keep in mind three things:
Users are unreliable narrators and their definition of "it won't power on" is quite broad and may include the device starting but not being able to log on.
MDM (Mobile Device Management) applies to laptops as well as mobile devices and tablets these days and most MDM systems have some way of making fully integrated "corporately owned" devices inoperative.
Even without all that, even without OOB management, most sysadmins can push a script to run rm /* -rf or its Windows equivalent.