Intermediate Decryption Certificate in Microsoft Active Directory

If you have generated Decryption Certificate as intermediate authority and signed it using Microsoft Active Directory Certification services, no installation at all is needed on the client computers.

The client computers already trust the Root Certification Authority of your Active Directory, so they will automatically trust the certificates signed by your intermediate Decryption Certificate. This is the most convenient method for large network deployments.

This article at Web Safety admin guide describes the intermediate certificate generation in this case.