When we deploy a tool to rotate local admin passwords, we run it locally on the clients, so there’s no need to pass the credential through BigFix in a secure parameter. We push a public key to the system, rotate the password with a simple tool which also encrypts the password with the public key, and store the encrypted blob in a text file that gets read in to BigFix for escrow.
If I had to generate some sort of per-system-unique credentials centrally and distribute them to BigFix clients without exposing the credentials to the relays, I’d probably stand up a simple web service (maybe using Hashicorp Vault?) which mapped client certificates to their credentials, then have BigFix trigger a fetch of the credentials using mutual TLS authentication to the web service (using curl or Powershell) to obtain the unique credential per client. This keeps the credential transfer out of band for BigFix. But I’ve never had to do this.