Given that you have both a Microsoft 365 subscription and an Azure subscription, with Microsoft 365 Defender and Microsoft Defender for Cloud enabled, your Azure subscription includes 50 virtual machines, each running different applications on Windows Server 2019. To maintain security, you need to propose a solution that ensures only authorized applications are allowed to run on these virtual machines. Specifically, if any unauthorized application tries to execute or get installed, it should be automatically blocked until an administrator gives approval. What security control would meet these requirements?