If the Endpoint Configuration Tool has been executed on the endpoint, but you are still receiving the "access denied" error while configuring your Windows Agentless endpoint, then you should check the Windows event viewer searching for the message "0xC0000070 STATUS_INVALID_WORKSTATION".
If you find such message on the event viewer, then update the attribute "userWorkstations" on the AD account used to connect to the endpoints. The official description of the userWorkstations field is: "Contains the NetBIOS or DNS names of the computers running Windows from which the user can log on. Each NetBIOS name is separated by a comma. Multiple names should be separated by commas". You must ADD the ENTM hostname to this field (comma-separated). If you have more than one PIM server, please add all of them.
To edit the userWorkstation attribute:
After changing this attribute of the AD account, you will be able to configure the Windows Agentless Endpoints.