Hey dannie,
For using GPO i suggest to create one for call a script and check versions to quit or install, if necessary.
You can use a Computer Policies to create a shutdown script. For silent mode you need to create a silent package for SEP and call it. You dont need a reboot, cuz u have installed on shutdown.
Create a .bat or .vbs to check if an registry exists and run a package.
WshShell.RegRead("HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\ProductVersion")
I using here in my environment (13k clients / 350 remote locations) and works great.
Regards