The site’s detected root is where Certify would place the files if it were using IIS instead of its internal challenge server. If it were using the internal server, it would make Windows direct .well-known requests to it using port sharing… I’m not sure if there are physical files with the internal server.
Certify doesn’t require that you have a working IIS instance. You can manually set the site’s root folder to where ever you want and it will still bind the certificate to the site you selected. This is the route I suggest you take instead of trying to intercept things. Just create a folder on the Windows machine that you know will work for the remote Apache server… then point Certify to that.
I don’t have a copy of v4.x in front of me… but in v5.x you select the IIS site in the Certificate options and set the Site Root Directory in the Authorization options. You may have to check the Advanced checkbox to see everything.