And this is a problem why exactly?
So, just tell them in writing it's not vulnerable? Or better yet put a message somewhere on your main support site...
And, just because they are running windows, doesn't mean they are not vulnerable to stuff embedded in products.
Which is easier when making your previously UNIX only product run on windows, re-write all your scripts in powershell or compile and ship a bash interpreter for windows and just change some paths...
Cygwin based services can use bash, including apache with cgi etc.
These things can happen in the real world.