I’ll share my understanding of this, though I’m far from one of the experts here.
It would be lovely if there was a single test suite that would qualify a driver for a wide range of OS releases, but that doesn’t seem to be the way Microsoft has set this up. The HCK controller can be used for pre-10 operating systems, and different HLK controllers are used for each unique Windows 10 or 11 version. I have two dedicated physical machines I use to perform kernel driver testing: a controller system and a target system.
The controller system dual boots into either Server 2012 for hosting the HCK controller, and Windows 10 Pro for hosting VMWare Player that in turn runs Server 2016 VMs, one for each of 8 Windows 10 or 11 versions I test against.
The target system is madly partitioned to boot into each of the supported targets from Windows 8.1 to Windows 11. The ISOs for the various operating systems are available from https://my.visualstudio.com/downloads , assuming you have the necessary Microsoft subscription. I use a tool called Rufus to create a bootable install image onto a USB drive when I need to set up a new target OS. (One caution about setting up targets for Windows Server editions: Microsoft’s prerequisites currently say “If you are testing against a Windows Server, you install a DataCenter edition and the ‘Full Server’ or ‘Server with a GUI’ during Setup,” but if you follow that advice your tests will fail the “Operate in Server Core Test.” Install the DataCenter edition, but choose the non-GUI option. It’s no fun to get everything set up from the command line, though.)
The controller and target machines are cabled directly to one another with a short CAT6 cable and have static IP addresses, so they’re well isolated.
I’ve performed some attestation signing on a coworker’s behalf for some drivers, and that is a wonderfully simple process. The main drawback, as far as I can tell from the documentation, is that attestation signing can only be used for drivers meant for Windows 10 or later, which may be fine for some customer bases.
I’m holding out a miniscule hope that an expert chimes in and tells us both that it’s all much, much simpler, but this is my current understanding of what is needed to secure Microsoft’s signature on a kernel driver.
(See also this thread from a few years ago where it’s suggested that testing for all Windows 10 versions is probably not strictly required. You may have some leeway to decide how thorough you want to be about it.)