There is nothing built into ConfigMgr to do this securely or otherwise.
You should check out the Local Administrator Password Solution (LAPS) from Microsoft (https://www.microsoft.com/en-us/download/details.aspx?id=46899) or third-party solutions such as those from Lieberman Software.
Also note that the functionality to set a password via group policy preferences is is insecure for other reasons namely that it is stored in plain text (the reason you've stated can only be done by a local admin so that doesn't make it insecure). This
functionality should have been disabled in your environment though via an update Microsoft released a while back.