HIPS is smart enought to determine the OS and not bother with the non-related OS signatures.
You can create a "IPS Options" policy to enable HIPS, and then create your "IPS Protection" policy to just log all High/Medium/Low signatures. That way you can run the IPS running in log only mode so you can review what is being blocked, and start making your Exception Rules from there.
You can go through and Disable signatures, right now there are 1087 signatures in my HIPS 8.0 catalog, and 322 are disabled, just to give you an idea.
Also, a hard lesson learned, if you nest policies like I do: System Baseline- Servers- SQL Servers, something we didn't know because our training implied different, when you modify a signature from the McAfee Default, it becomes a custom signature. Now we should all know that the highest Signature in nested group is what is used, but if you change one of them "say from High to Off" then even though the other two policies has that Signature as a HIGH, because you changed it in one, that custom Off is now the policy when nested.
Some other Items: If you have many systems buildt off an image, pick only one to start your logging and later blocking to build your baselines and exceptions.
2- Start with Highs and work your way down.
3- When ever possible, don't turn on enterprise wide if you don't have to. Do it in a phases.
Thanks for the advice. I have a feeling the 'experts' around here want to do it in a big bang approach that I have long argued will not work and goes against McAfee Best Practice.
That is a problem for another day!