Microsoft’s October Windows 11 updates have broken the “localhost” functionality, making applications that connect back to 127.0.0.1 over HTTP/2 no longer function properly.
Localhost refers to the local computer or device you’re currently using, which can be accessed through the special IP address 127.0.0.1.
Developers commonly use localhost to test websites or debug applications, but it can also be used by applications that need to connect to a locally running service to perform some action or query.
After installing the Windows 11 KB5066835 Patch Tuesday, and even September’s KB5065789 preview update, users are finding that their applications are no longer able to complete HTTP connections to the localhost (127.0.0.1) IP address.
When attempting to do so, they received errors like “ERR_CONNECTION_RESET” or “ERR_HTTP2_PROTOCOL_ERROR”.
These issues have been reported by Windows users on the Microsoft forums, Stack Exchange, and Reddit, all stating they are no longer able to make HTTP connections to 127.0.0.1.
The bug has impacted widely used applications, including Visual Studio debugging, SSMS Entra ID authentication, and the Duo Desktop app, which verifies device security posture and requires connections back to web servers running on the localhost.
“After performing Windows Updates for Windows 11 24H2 and 25H2, you may experience an issue where the Duo Prompt is unable to reach Duo Desktop,” reads the Duo support bulletin.
“This may prevent successful authentication (or result in limited functionality) in situations where the following are in use: Trusted Endpoints, Policies such as the Duo Desktop & Device Health policy, Duo Desktop as an Authentication Method. Duo Passport. Verified Duo Push with Bluetooth Autofill or Proximity Verification.”
While some have suggested the following Registry entries help resolve the problem by disabling the HTTP/2 protocol, others state that it does not fix the issue.
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftIISParameters]
"EnableHttp2"=dword:00000000
"EnableHttp2OverTls"=dword:00000000
Another method that some claim resolved the problem was to install the latest Microsoft Defender intelligence update. However, others report that it has not fixed the issue on their Windows devices.
Instead, the only sure way to resolve the bug has been to uninstall the October KB5066835 update and September’s KB5065789 preview update.
Windows users can uninstall the updates using the following commands:
wusa /uninstall /kb:5066835
wusa /uninstall /kb:5065789
After uninstalling the updates and restarting Windows, the loopback interface should once again allow HTTP/2 connections, resolving the issues using applications.
BleepingComputer contacted Microsoft about this bug and will update our story if we receive a response.
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
