Administrative methods work well if management is really concerned about security. Fines and layoffs leave no one indifferent. If the company is not ready for such drastic measures, then admin sadism has proven itself well:

• When a password is found on a piece of paper, the password is changed, and the password length limit for that user is increased by one character.
  
• You enter under the user account with a password from a piece of paper, delete important files and write a swear letter to the CEO.
  

https://www.rohos.com/ (2FA:OTP; USB flash drive, SD-memory cards, U2F keys, Yubikey, PKCS#11 security dongles like SafeNet iKey and popular RFID cards)

At my work, everything is easier and more difficult. for the especially forgetful, I force the passwords to be saved in a cell phone under an assumed name, you create an SMS. everything is written there. while it works, the papers have disappeared. if the phone is lost, then who will know where and what the password is, and most importantly where to stick it.

A number of users work with critical data.
The media is encrypted, all routine procedures are written, everything works ..
But - from time to time I notice passwords on the PC and in other easily accessible places.
It is already useless to punish procedurally, I want to find a technical way out

Such a procedurally justified and technically organized means as a regular change of passwords forces users to write down passwords. If there was one for 100 years, they would remember.
Find another way that does not stress people, that does not prevent them from working .
The same frequent change of passwords is a good excuse for the security service ("we did our job - it's the users themselves to blame"). But this is not a solution to problems.

Look towards two-factor authentication, since there are ready-made solutions, for example, for php . The result will be: the user enters two passwords (login and a password for decryption) + an additional action (entering a code that they will receive through an application on their phone, such as Google Authenticator).

Google Authenticator The user enters a password, and the second password is sent to the mobile application, and he must rewrite it and enter it. Essentially the same method as in Steam Guard.

Are you sure that increasing such security suits business? Did you at least calculate the risks? As for pieces of paper with passwords ... do you have an information security policy implemented? Perhaps it's easier for you to conduct some kind of confrontation and do an internal mini pentest, thereby simulating the actions of an attacker? And according to the result, point out the management to incompetent employees?

technical methods will not help, when using tokens - tokens will be in a drawer (at best).
only org methods: weakening the password policy where possible (1 password, fewer requirements for strength and frequency of changes), raising awareness, where possible and necessary - demonstrative flogging.

Collect biometrics from them, they definitely won’t share their fingerprints and won’t forget them. And flash drives will be lost, then hackers will make flash drives with viruses. A finger can only be cut off.

What works?
Domain accounts?
Which?
What browsers do you use?
From here you have to look.
Google domains allow for pretty tight control, and Chrome's settings for domain accounts are fine-tuned too.
If something else - then it's not strong