You are managing an environment with both a Microsoft 365 subscription and an Azure subscription. In this setup, Microsoft 365 Defender is active and Microsoft Defender for Cloud is also enabled. Your Azure subscription includes 50 virtual machines, and each of these VMs runs different applications on Windows Server 2019. Your goal is to ensure that only applications that have been approved can run on these virtual machines. If an unauthorized application tries to run or gets installed, it should be blocked automatically until the application is approved by an administrator. Which security control would you recommend to achieve this?