I wrote earlier:
If you send to WHQL for Windows 7, Microsoft uses SHA-1 certificate for signing CAT, and SHA-256 for signing the driver. So if you are using CAT, it will still load in non-updated Win7, no dual signing needed from either you, or Microsoft.
Sorry, but as it happens, it was a complete lie. When I checked that information I looked at our WHQL-signed drivers, and didn’t notice they were over a year old. At that time, indeed, the Win7 drivers were signed using SHA-1, but that MS certificate expired in March 2020. When I sent some Win7-drivers today, I noticed they received SHA-256 (on both SYS and CAT files).
Therefore, as of now, if you don’t have an active SHA-1 certificate, there is no official way to sign a driver, which would load in a non-updated Windows 7/2008r2 and in any Vista/2008. And after July 1, there will be no official way of doing it, even if you do have an SHA-1 certificate.