Can desktop application users retrieve a key from a CNG keystore residing on a LAN server

I am trying to come up to speed on the ABCs of CNG. My goal is to secure a persistent long-term symmetric key, similar to the situation in this question. If the symmetric key can be encrypted and stored as a ciphertext in the application’s app.config and then be unencrypted at runtime, it wouldn’t have to be embedded, in merely obfuscated form, in the program itself. And so I have a couple of basic questions.

Is it possible for users of a Full Trust .NET desktop application (published via ClickOnce to a LAN server and set to be "available only online") to

a) retrieve an asymmetric private key from a CNG keystore residing on the LAN server to which the application was published, and use that key to decrypt the ciphertext version of the symmetric key?

or

b) send an asymmetrically encrypted symmetric key to a CNG crypto provider residing on that LAN server and get that symmetric key back in unencrypted plain-text form, so it was ready for use?

Or

c) must a keystore always be stored on the machine where the code is executing, that is, must each user have a copy of this private asymmetric key on their PC?

Finally, if it is possible to supply the asymmetric key to the user in some manner, how to invoke it as the one needed to decrypt a particular section of the app.config?