Can you check the connection events of the intrusion events to see what application id and web application id are identified for those 2 events?
You can create 2 new rules to include a more specific web application identification, if the windows servers are identified different.
Or, you can add the windows servers IP addresses into an object and apply a different IPS policy with the rules disabled only on those IP addresses (with a separate ACP rule that matches the object).