Those of us that write windows device drivers have suffered with this for a while. You get the best results* with an EV certificate, which only comes on hardware key. When your build server is locked in a server room, or is a VM, or whatever, suddenly everything becomes harder than it needs to be.
I like the approach taken by one of the major consultancies:-
https://www.osr.com/nt-insider/2016-issue1/today-in-driver-signing/ (see figure 6).
* a full description of when a non-EV certificate is acceptable is omitted for the sake of brevity and sanity.