Hmm, there seems to be rather a lot of capabilities that would need to be removed.
You could try removing the moodle/course:view capability, then your helpdesk technician would not be able to enter any courses without enrolling.
However, on reflection, I think the best solution might be to create a new custom role rather than modifying the manager role. The new role should be a system role (assignable in the system context), with the capability moodle/user:update allowed. Please note that this would allow your helpdesk technician to change anything in a user's profile, not just their password.
Roles and permissions
This discussion has been locked because a year has elapsed since the last post. Please start a new discussion topic.