I think a bit of theory here will go a long way, because this can get overwhelming when you never did it before.
EAP-TLS is more complicated to configure then EAP-PEAP, so you should start by configuring EAP-PEAP and test it, when it works then you move on to EAP-TLS.
On the NPS side, you shouldn't put all the authentication types (TLS, EAP, PEAP, EAP-MSCHAPv2), you should put only PEAP.
NPS works as ACLs, it will go from top through bottom and stop on first match. If you put all into 1 entry, you don't really know where it blocks or why, I suggest doing one policy for EAP-PEAP and a new one for EAP-TLS.
Your client configuration is ok for EAP-PEAP right now (you should also check the "validate server certificate" feature later on when tests are good). If you configured your NPS policy for PEAP correctly, the client you posted should connect fine.
If you are not sure about client configuration, best tip I can give you is use a Iphone,MAC or Ipad. They will auto detect PEAP settings and validate server cert.
Cheers,