Summary:

If the Endpoint Configuration Tool has been executed on the endpoint, but you are still receiving the "access denied" error while configuring your Windows Agentless endpoint, then you should check the Windows event viewer searching for the message "0xC0000070 STATUS_INVALID_WORKSTATION".

Instructions:

If you find such message on the event viewer, then update the attribute "userWorkstations" on the AD account used to connect to the endpoints. The official description of the userWorkstations field is: "Contains the NetBIOS or DNS names of the computers running Windows from which the user can log on. Each NetBIOS name is separated by a comma. Multiple names should be separated by commas". You must ADD the ENTM hostname to this field (comma-separated). If you have more than one PIM server, please add all of them.

To edit the userWorkstation attribute:

1. Open the Microsoft Management Console snap-in "Active Directory Users and Computers" (you must use a user that holds permissions to edit user accounts);
2. Click on View menu and click on "Advanced Features" item;
3. Search for the AD account used to connect to the endpoints;
4. Right-click the account and select Properties;
5. Go to the Attribute Editor tab, and locate the userWorkstations attribute. Double-click on it to edit;
6. Add the PIM servers hostnames to this attribute, comma-separated values;
7. Click on OK, and then OK again to save the changes.

After changing this attribute of the AD account, you will be able to configure the Windows Agentless Endpoints.

Additional Information:

https://msdn.microsoft.com/en-us/library/ms680868(v=vs.85).aspx