since th2 or so, windows is only meant to load drivers signed by MS if they were signed after a certain point. but if there's no timestamp on the cert the old certs all still work (they've all expired by now but that doesn't matter, some of them had their private keys leaked and there's various signtool hooks to patch the expiry time checks out). so for anyone using their own legit code signing cert and privkey the ONLY option for signing drivers is to go through MS.
MS signs anything you give them (as long as you have access to sign drivers, which basically just requires a shell company and an EV code signing cert, people on unknowncheats can afford this) and basically rely on their terms and conditions to say "if you sign something with vulns we will revoke, if you sign malware we will ban". their terms and conditions also specify that they can require a code audit of your drivers at any time.
MS driver signing puts the name of the entity they signed it for in the opus info, that can be seen in the advanced tab (can't remember the asn1 object id right now), they do the same for UEFI bootloaders signed by the UEFI third party certificate
it would be nice if they could have proper certificate transparency-like processes for driver signing and provide any and all drivers/uefi bootloaders for download such that anyone can analyse them. i report third party uefi bootloader vulns to MSRC because MS signed them for someone and they can easily get in contact with the responsible vendor, and get taken more seriously than just some random researcher. maybe I should do the same with vulnerable drivers and see what happens.
i also think MS should clamp down on code obfuscation in drivers. whether that's disallowing it, only allowing it when the obfuscated code is cleanly sandboxed (wasm?) with clean interfaces specified to not allow anything dangerous to be called by obfuscated code, only allowing it by signing using a different chain that would be not be trusted by default and require a BS|NV variable (and physical-presence seperate boot application) to allow (because your typical corporate system shouldn't ever be loading, for example, genshin impact's anti-cheat driver, right?)...