When a machine is deleted from Active Directory, it still shows up in the Symantec Endpoint Encryption Management Console.
By default, the Active Directory Synchronization will synchronize objects that have been added to the domain, but will not remove deleted objects. To do this, "Reverse Data Verification" must be enabled.
From the Symantec Endpoint Encryption Installation Guide:
Active Directory Synchronization is configured and enabled
Enable Reverse Data Verification