They have a good enough coding and reasoning skills to find malware, but not enough to understand how VPN applications are coded.
Obviously Microsoft uses VPN software (web based or client app) allowing employees to connect remotely.
VPN software pretty much searches to ensure your computer is safe, has AV software, etc. Gathers IP address history, among other basic info from registry.
If you're unwilling to install the VPN application, along with any other required applications then you're not allowed to connect.
Then if a connecting computer is suspect, it isn't difficult for the company and/or law enforcement to add other code/apps to get nearly anything from an intruder's computer--particularly if this person is using an account with elevated privileges--which most likely they will be.
A good thing to know; if you're going to work remotely--use a company laptop instead of your personal home computer.