Secure domain join Windows (vSphere)

cannot identify a secure domain join provisioning method that does not leave traces (passwords) in logs

Expected outcome:
join domain with provided parameters during provisioning without leaving the passwords in logfiles (windows panther logfiles)
Foreman and Proxy versions:
Foreman and Proxy plugin versions:

Distribution and version:

As the title says, we’re trying to deploy Windows machines through vSphere. We can join domain using powershell in user-data file.
works like a charm but after the provisioning the setupact.log in c:\windows\panther\UnattendGC shows passwords in clear text

has anyone identified any way to do a secure domain joijn without the users being able to retrieve the passwords used?

thanks so much for any ideas, for us this is huge security concern.
I’m aware of the possibility to do unsecure domain join with machinepassword but I’m trying to avoid to rely on API server