I’m not sure I understand what you’re trying to ask. PKI is a huge topic, you may need to break this down into smaller pieces.
BigFix does not proxy SCEP traffic between clients and an NDES server, that seems to be part of what you’re asking?
As far as I recall, certificates & PKI are not involved in Bitlocker, either. BigFix MDM can deploy policies to enforce Bitlocker encryption, and can help escrow the BitLocker keys (to, I believe, Active Directory or Hashicorp Vault, but I’d need to find more details if that’s what you’re asking about).