To my knowledge, they aren't the ones signing the software. Microsoft runs a UEFI CA and just bless the developer's sub-CA. The developer is fully in control of their own CA and could sign whatever they want.
No. I don't know if Microsoft "partners" have some special privilege, but for 3rd parties Microsoft will _never_ sign your CA. They sign individual binaries.
