Microsoft has fixed a known issue breaking HTTP/2 localhost (127.0.0.1) connections and IIS websites after installing recent Windows security updates.
This bug affects both Windows 11 and Windows Server 2025 systems, where users will see connection reset errors when loading pages or using apps that try to connect to the localhost (127.0.0.1) IP address.
As BleepingComputer reported on Wednesday, the issue is triggered after installing the Windows 11 KB5066835 Patch Tuesday update, and even September’s KB5065789 preview update, causing errors such as “ERR_CONNECTION_RESET” or “ERR_HTTP2_PROTOCOL_ERROR”.
These problems have been reported by Windows users on Stack Exchange, Reddit, and Microsoft’s own forums, who state they are no longer able to make HTTP connections to 127.0.0.1. This bug has impacted the Duo Desktop app and features in many widely used applications, including Visual Studio debugging and SSMS Entra ID authentication.
Following these widespread reports, Microsoft confirmed the known issue and linked it to a bug in the HTTP.sys Windows-based web server for ASP.NET Core. The company added that this bug can be triggered by a variety of conditions, including the timing of recent device restarts and update installations, as well as the device’s internet connectivity.
“Following installation of updates releases on or after September 29 (KB5066835), server-side applications that rely on HTTP.sys may experience issues with incoming connections,” the company explained in a Thursday update on the Windows release health dashboard.
“As a result, IIS websites might fail to load, displaying a message such as ‘Connection reset – error (ERR_CONNECTION_RESET)’, or similar error. This includes websites hosted on http://localhost/, and other IIS connections.”
Microsoft asked affected users to go through the following procedure to resolve the issue on impacted devices:
- Open “Windows Update” in the “Windows Settings” app. This can be accomplished by opening the start menu, typing “check for updates”, and selecting from the results to the right.
- Click on “Check for updates”. Allow any updates to install.
- Restart your device even if no updates are installed in the previous step.
Redmond has also automatically resolved the issue on non-managed business devices and for most home users via Known Issue Rollback (KIR), a Windows feature that reverses buggy updates delivered via Windows Update.
To fix it on affected Windows enterprise-managed devices running Windows 11 24H2, Windows 11 25H2, and Windows Server 2025, IT administrators must install and configure the following KIR group policy.
Admins can find additional guidance on deploying and configuring KIR group policies on Microsoft’s support website.
Redmond says a permanent fix will roll out with a future Windows update, so organizations will no longer need to install a group policy to address this issue.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
