Hi,
Please verify that the CA is running Windows Server Enterprise Edition, and not Standard Edition. You must be running Enterprise Edition to publish and issue a NAP exemption certificate, or a health certificate from this CA.
If you are running Standard Edition, you can try continuing the lab and skip this step. Computers in the IPsec NAP Exemption group (NPS1) will not be autoenrolled with an exemption certificate, but I'm pretty sure this doesn't break the demonstration because the secure OU client requests a health certificate for outbound communications, but doesn't require one. Since the client initiates communication to HRA when renewing a health certificate, this is permitted.
In this situation, the HRA machine is not a typical member of the boundary network. These machines usually have certificates that allow them to initiate communications to machines on the secure network if needed.
-Greg