AlwaysOnVPN Device Tunnel (IKE) Certificate selection problem

We are using AlwaysOnVPN and configuring device tunnel at Windows 10/11 clients.

(not to be confused with user tunnel)

At server side we are using EKU filtering (CertificateEKUsToAccept parameter)

Everything works well until clients have 2 or more device certificates. Windows randomly takes first one and in most cases, it is no valid without correct EKU. So authentication failed: “Verifying username and password...IKE authentication credentials are unacceptable”

From first sight, this problem could be solved by adding section to client’s config:

<NativeProtocolType>IKEv2</NativeProtocolType>

     <Authentication>

           <MachineMethod>Certificate</MachineMethod>

           <Certificate>

                <EKU>1.3.6.1.5.5.7.3.7</EKU>

           </Certificate>

     </Authentication>

and there is a section at VPNv2 CSP:

Device/{ProfileName}/NativeProfile/Authentication/Certificate/Eku

But is says “Reserved for future use.” And there is no any Allowed Values.

Without much hope, I wanted to ask the community are there any ways to chose right device certificate at client side?

And hope MS will enable this feature as well.