I have a several nodes like that and I use the following:
1) Created a query looking for outdated dat's on nodes
2) Within the same query, if found those nodes are moved to a separate subgroup, where the agent/client polices are configure to update every 5 minutes.
3) Created another query looking, within that subgroup mentioned above, for any updated nodes and if found sort.
Essentially, those nodes just get agent/client updates until they fall inline.
Not exactly connected to using shutdown...sorry.
I see use of the login script as a viable means of allowing the user not to do anything before the update is finished. Further I advise that these laptops should have a McAfee Agent policy assigned in which there is a repository that they can access very fast (so the update does not tinker long on the update).
Or lacking a login script, you could register a script in HKLM\....\Windows\Currentverson\Run key that invokes mcupdate.exe with parameters.
All with the necessary garnish of warnings and information and keeping the user off of mail client during the update.