First Generate a Root (this could be the CA you deploy using Global Protect or Group Policy or whatever you can)
Then you would want to create an intermediate CA (this could be the decrypt CA)
You should also create a new root that isn’t deployed to clients and use as untrusted CA.