I have a Surface Pro 4, with an Ubuntu installation that has gone mostly unused for several years. I have secure boot off, and boot into grub, then into Windows most of the time.

Lately I've upgraded Ubuntu, and would like to switch Secure Boot back on in UEFI settings, to get rid of the red bar across the top. (I forgot how pretty it looks without it until recently).

However, when I turn on Secure Boot in UEFI settings, setting it to either to Microsoft Only or to Microsoft + 3rd Party CA (neither of which I really understand). It appears that UEFI skips over grub in the boot order, and boots directly into Windows. If I change it back to "Disabled" it boots into grub as normal.

I thought that Ubuntu came preconfigured to work with secure boot. What am I doing wrong? And what do I need to do to fix it?