I'd have thought the cloud side would be pretty easy to script over. Presumably the images aren't encrypted from the host filesystem so just ensure each VM is off, mount its image, delete the offending files, unmount the image and start the VM back up. Check it works for a few test machines then let it rip on the whole fleet.
Don't forget that there's a hidden system junction at C:\ProgramData\Application Data that points to C:\ProgramData. Because everyone loves loops in their filesystem. Of course C:\Users\All Users is also a junction to C:\ProgramData. This kills updatedb in WSL.