You have an Azure subscription with Microsoft Defender for Cloud enabled. Your objective is to enforce ISO 27001:2013 standards across this subscription. Not only should these standards be enforced, but any noncompliant resources must also be automatically remediated. To achieve this, consider that Security Center can now auto-provision Azure Policy's Guest Configuration extension (currently in preview). Azure Policy allows you to audit settings within machines, whether they are running directly in Azure or are Arc-connected. This auditing is executed through the Guest Configuration extension and client. With the latest update, Security Center can automatically provision this extension to all supported machines. Enforcing a secure configuration based on specific recommendations can be done in two ways: by using Azure Policy's Deny effect, which prevents the creation of unhealthy resources, or by using the Enforce option, leveraging Azure Policy’s DeployIfNotExist effect to remediate non-compliant resources automatically at the point of creation. What should you use?