Just use the regular Ubuntu or a Fedora distro. These have the secure boot system in place to coexist with windows with zero headaches using a UEFI shim key signed by m$ through a 3rd party program m$ offers primary major distro packagers. These Twp options just work. Otherwise you must sign and replace your own keys for secure boot. There is good documentation available via PDF from the US government that goes into all the details of what to do and why at all different levels.
If you boot any distro that has a valid SB key and under secure boot UEFI will delete any unsigned bootable code as it is designed to do. This system works before init, so it is not a part of Linux or Windows. Neither of these OS's is at fault in almost any instance, despite people complaining regularly. They simply do not understand SB and UEFI. Do not follow some random tutorial on YT either. People say the dumbest things in this space, and there is a ton of misinformation. I can tell you quite a bit about it in depth. Worst case scenario, you can use a tool called Keytool to boot your computer directly into the UEFI system and manually change your keys of the hardware manufacturer did not do a full SB manual keys replacement implementation. Gentoo has some documentation on Keytool, but assumes a very high level of competency. The easy way, as mentioned, is simply to stick to any Fedora distro that uses the Anaconda pre-init system (all of them) or use Ubuntu.
I haven't tested Ubuntu's Nvidia driver implementation, but Fedora's is flawless so far over the last year I've been using it.