You may notice within reports and notices from CrowdStrike references to Sensors being in RFM, which is Reduced Functionality Mode. What is RFM and what does it mean for your Sensors?
RFM happens most often when the OS has updates that have not been approved and verified to work with the installed CrowdStrike Sensor on that server/workstation and the Sensor’s protective functionality working with the OS is going to be very limited.
CrowdStrike’s process is to test, verify and approve Windows Microsoft updates within 48 hours of release and for macOS and Linux within 10 days of release.
So, if you immediately install Microsoft updates in the evening of the Microsoft Patch Tuesday, those devices will be in RFM for the next 48 hours at least..
Similarly, with the recent release of macOS 15 Sequoia, changes within macOS made it so the Sensor couldn’t work correctly until Apple released the 15.0.1 update.
RFM is something to be aware of as you set your Windows/macOS/Linux update scheduling for what your organization’s risk tolerance is
RFM can also occur for other reasons, so going to the Exposure Management -> Managed Assets and filtering on the In RFM column to check for assets in RFM, once a week, is a good suggestion.
MiSecure generally has been seeing machines go into RFM around the Microsoft Patch Tuesday release cycle and then within the next 48 hours, come out of RFM.
Additional links to CrowdStrike documentation for RFM
CrowdStike Documentation for Windows RFM
CrowdStike Documentation for Linux RFM
CrowdStike Documentation for macOS RFM