Remote User VPN using user certificates

We’re looking to implement certificate based authentication for our remote access VPNs. The end goal is to prevent untrusted devices connecting to our network.

The VPN has been configured to require the user’s username, password and a certificate issued by the Windows Domain that is stored in that user’s personal certificate store.

The certificate private key is not exportable when going via traditional routes, and users do not have local administrator access to their computers.

Just wondering if anyone happens to know of any ways around this type of setup e.g. any way to export the private key?

Is this setup suitable, or are there alternative configurations we may have over looked?

Thanks in advance.