Symantec Endpoint Security (formerly Endpoint Protection (SEP) 15) offers an option to deploy a Windows client package with Cleanwipe. The option is called "Remove existing Symantec Endpoint Protection client software that cannot be uninstalled", and can be found in Settings -> Installation Package -> Show More -> Software Removal Settings.
Deploying such a package using direct installation will work as expected. The old SEP client is successfully removed by the Cleanwipe tool and a new Endpoint Security client is installed.
Deploying the same package using Group Policy will not work. The installation does not start and the old SEP client remains installed.
Cleanwipe deployed using Group Policy requires elevated privileges that the installer is not able to obtain.
Deploying a package with Cleanwipe is not necessary in most scenarios unless the old SEP client is broken beyond repair and cannot be uninstalled using Windows' "Programs and Features".
The recommendation is to use an Endpoint Security installation package without Cleanwipe. It will automatically detect older versions of SEP and uninstall them before installing Endpoint Security.
More information on supported methods can be found in Upgrade paths to Endpoint Security.