You are managing a Microsoft 365 subscription along with an Azure subscription that includes 50 virtual machines, each running different applications on Windows Server 2019. Both Microsoft 365 Defender and Microsoft Defender for Cloud are active across these systems. Your goal is to ensure that only authorized applications can execute on the virtual machines. If any unauthorized application tries to run or install, it should be automatically blocked until an administrator provides authorization. What security control would you recommend to achieve this?