Instead of going through and blacklisting all strange, new, or potentially malicious programs from executing on your system: create a whitelist instead. You can manage a list of approved and trusted programs far more easily than the inverse, as it’s a much smaller number. Ultimately, you’re saving yourself from the hassle of constantly trying to approve or determine which programs should be allowed to operate.

This rule explicitly prevents all non-approved applications from executing within your system.

This can be done in a few ways. You can whitelist applications on the local level using the Security Policy Editor. This approach is strictly local however, so it has to be configured on each device. Without centralised management, you can see how this becomes complex or ineffective when you’re dealing with multiple devices.

Read more @ SLA service

Therefore, a more recommended approach is to use Windows Active Directory, or Azure AD. Both of these approaches mean you have a centralised management approach and can enforce policy changes remotely to all devices. This is far easier and more effective.
Or visit this link or this one