Using machine cert for 2nd factor VPN authentication as a normal u

We want to use the machine certificate as the second factor for VPN
authentication with our Anira solution, but are having a problem with the
NTFS permissions of the certificate.

Our users are not local administrators on their workstation and since the
machine certificates don't inherit permissions from the parent folder, the
user doesn't have read access to the machine certificate. Changing the
permissions is easy enough with an SMS package, but with about 20 machines
renewing their certificates a day, this is not a workable solution.

Is there a way to change the default permissions of an autoenrolled machine
certificate? This way the users will have read and thus the ANIRA VPN client
will be able to access the certificate when launched as a regular user?

Please advise.