DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1–11, 13–20 and 22 are pending for examination in a reply filed on 11/19/2020.  Claims 12 and 21 are cancelled.  Claim 22 is NEW.

Double Patenting
3.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).


4.	Claims 1, 8, 15, and 22 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 8, 15, and 1 of US 9,990,222 B2 (“issued ’222 patent”) in view of Shaposhnik et al., US 2013/0332923 A1.

5.	Although the claims at issue are not identical, they are not patentably distinct (nonobvious) from each other, because at least some of the subject matter claimed in the instant application is already fully disclosed in issued ’222 patent.

For purposes of illustration, a table has been constructed below to compare the two independent claim 1s.

Instant Application No. 15/961,077
Issued ’222 Patent
1.   A method, comprising:
obtaining, by a host device comprising a host management component and a virtual machine execution environment, at least one compliance rule assigned to the host device, a hypervisor executed within the virtual machine 
determining, by the host management component, that the at least one compliance rule is violated; and
causing the host management component to perform an action in response to determining that the at least one compliance rule is violated, wherein the action comprises causing the host device or the hypervisor to be locked.


	executing a host management component in a host device, the host device in communication with a networked environment, the host device comprising a virtual machine execution environment, wherein the virtual 
	obtaining, by the host management component, at least one compliance rule stored on a device in an enterprise computing environment;
	determining, by the host management component, whether at least one of the hypervisor or the virtual machine violates the at least one compliance rule based on data regarding a condition of the at least one of the hypervisor or the virtual machine obtained from the guest management component;
	causing the host management component to perform a first action in response to determining that at least one of the hypervisor or the virtual machine violates the at least one compliance rule, wherein the first action includes modifying, enabling, disabling or uninstalling a component or a feature of the component of the at least one of the hypervisor or the virtual machine;

	causing the guest management component to perform a second action on the host device further in response to determining that the host device violates the at least one compliance rule.


Additionally, as to claims 1, 8, 15 and 22, the issued ’222 patent does not fully disclose “causing the host device or the hypervisor to be locked.”

Shaposhnik et al., US 2013/0332923 A1 however teaches or suggests:
“causing the host device or the hypervisor to be locked”
(¶ 111: the host operating system 170 can disable functionality of the network communication device 142 for security reasons ... network. Because a user of the computer system 100 only interacts with the guest operating system 176, the user of the computer system 100 would not be able to circumvent the configuration of the host operating system 170 or the network communication device 142. The network communication device 142 could be configured in other ways for the purpose of enhanced security).

Shaposhnik teaches virtual machine security and thus is from the same field of endeavor and/or is reasonably pertinent to the particular problem faced by the inventor.

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shaposhnik with the issued ’222 patent, to disable access to the host and VMs.  The motivation or advantage to do so is to restrict 


Examiner Notes
6.	Examiner refers to and explicitly cites particular pages, sections, figures, paragraphs or columns and lines in the references as applied to Applicant’s claims to the extent practicable to streamline prosecution.
Although the cited portions of the references are representative of the teachings in the art and are applied to meet the specific limitations of the claims, other uncited but related teachings of the references may be equally applicable as well.  It is respectfully requested that, in preparing responses to the rejections, the Applicant fully considers not only the cited portions of the references, but also the references in their entirety, as potentially teaching, suggesting or rendering obvious all or one or more aspects of the claimed invention.

Abbreviations
7.	Where appropriate, the following abbreviations will be used when referencing Applicant’s submissions and specific teachings of the reference(s):
i.	figure / figures:		Fig. / Figs.
ii.	column / columns:		Col. / Cols.
iii.	page / pages:			p. / pp.

References Cited
8.	(A)	Fitzgerald et al., US 2008/0134176 A1 (“Fitzgerald”).
	(B)	Cropper et al., US 2017/0109183 A1 (“Cropper”).
	(C)	Shaposhnik et al., US 2013/0332923 A1 (“Shaposhnik”).
(D)	Barak et al., US 2014/0096134 A1 (“Barak”).
	(E)	Hu et al., US 2010/0070970 A1 (“Hu”).
	
Fitzgerald, Cropper, Barak, and Hu were cited in the previous Office action.

Notice re prior art available under both pre-AIA  and AIA 
9.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

A.
10.	Claims 1, 3–4, 7–8, 10, 14–15, 17, 20 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Fitzgerald in view of (B) Cropper and (C) Shaposhnik.
See “References Cited” section, above, for full citations of references.

claim 1, (A) Fitzgerald teaches/suggests the invention substantially as claimed, including:
“A method, comprising:
obtaining, by a host device comprising a host management component and a virtual machine execution environment, at least one compliance rule … a hypervisor executed within the virtual machine execution environment, or a virtual machine executed within the virtual machine execution environment”
(Fig. 1 and ¶ 41: each execution platform 101 includes a host or virtual machine monitor (host/VMM 103) running on that platform. The host/VMM 103 can be implemented with conventional or custom technology, so as to allow a virtual machine (guests/VM 107) to run therein;
¶ 225: getting compliance policies regarding a target VM);

“determining, by the host management component, that the at least one compliance rule is violated”
(¶ 227: an “execution-watcher” functionality. In such an embodiment, the process 403 operates to periodically examine the running guest/VM 107. If the guest/VM 107 becomes non-compliant for any reason (e.g., based on policy), then process 403 can implement one or more remedial actions;
¶ 228: once the VM is running, the execution-watcher checks (e.g., on a configurable time interval) that the VM is in policy-compliance. If not, remedial action can be taken (e.g., by operation of process 403 itself, or other processes of the managed system, such as the enforce process 800); and

“causing the host management component to perform an action in response to determining that the at least one compliance rule is violated”
(¶¶ 227–228: implement one or more remedial actions).

Fitzgerald additionally teaches or suggests “at least one compliance rule … [of] the host device”
policy-based checking of the VMs, as well as their respective hosts (such as host/VMM 103) and/or the requestor;
¶ 173: VM host system can be adapted per policy as well;
¶ 198: VM host system can be checked for policy adherence).

	Fitzgerald does not teach “at least one compliance rule assigned to the host device.”
	
(B) Cropper however teaches or suggests:
“at least one compliance rule assigned to the host device”
(¶ 80: policies may be assigned to particular hosts or host groups such that all virtual machines deployed to or placed upon such hosts are automatically associated with the policies … policies may be assigned to particular types of virtual machines and/or hosts).

Cropper teaches virtual machine/environment policies and thus is from the same field of endeavor and/or is reasonably pertinent to the particular problem faced by the inventor.

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Cropper with those of Fitzgerald, to directly assign/apply execution policies to VM hosts (e.g. VMM).  The motivation or advantage to do so is to effectively manage/control the execution of multiples hosted VMs to improve overall system performance, security, and/or reliability (see Cropper, ¶¶ 10–11).

	Fitzgerald additionally teaches unlocking a host device (¶ 290: when the VM does not satisfy one or more policies or is otherwise found to be non-compliant, then process 900 continues with adapting 909 the VM to conform. Adaptation can be, for example, ... install anti-virus software and/or security patches, run anti-virus scanning application (another malware detection/eradication applications), enable firewall and/or adjust firewall settings).


Fitzgerald and Cropper do not teach “wherein the action comprises causing the host device or the hypervisor to be locked.”

(C) Shaposhnik however teaches or suggests:
“wherein the action comprises causing the host device or the hypervisor to be locked”
(¶ 111: the host operating system 170 can disable functionality of the network communication device 142 for security reasons ... network. Because a user of the computer system 100 only interacts with the guest operating system 176, the user of the computer system 100 would not be able to circumvent the configuration of the host operating system 170 or the network communication device 142. The network communication device 142 could be configured in other ways for the purpose of enhanced security).

Shaposhnik teaches virtual machine security and thus is from the same field of endeavor and/or is reasonably pertinent to the particular problem faced by the inventor.

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shaposhnik with those of Fitzgerald and Cropper, to disable access to the host and VMs.  The motivation or advantage to do so is to restrict VM access to the network based on policy violations or security requirements (e.g. to enhance security).


12.	Regarding claim 3, Fitzgerald teaches/suggests:
“wherein the action comprises enabling, disabling, or configuring a feature of a disk encryption, backup schedule, a network interface, or a network connection”


13.	Regarding claim 4, Fitzgerald and Cropper teach/suggest:
“wherein the at least one compliance rule is assigned to the host device and the virtual machine”
(Fitzgerald, ¶ 225: getting compliance policies regarding a target VM;
¶ 57: to execute policy-based checking of the VMs, as well as their respective hosts (such as host/VMM 103) and/or the requestor;
¶ 173: VM host system can be adapted per policy as well;
¶ 198: VM host system can be checked for policy adherence;
Cropper, ¶ 80: policies may be assigned to particular hosts)

“wherein the at least one compliance rule is based on time, geographical location, device, or network properties”
(Fitzgerald, ¶ 9: compliance policies requires the target VM to operate during a specified time window;
¶ 57: policy compliance to enforce policies regarding execution windows).

14.	Regarding claim 7, Fitzgerald teaches/suggests:
“wherein the action performed by the host management component comprises providing a command to cause a guest management component executed within the virtual machine execution environment to modify a condition of the virtual machine”
(¶ 58: the adapt VM module 211 is configured to adapt a non-compliant VM into compliance by making changes to the VM, such as direct manipulation/insertion of files, parameters, settings, and/or data into the VM. The adapt VM module 211 may also be configured to call or otherwise schedule other agents or processes to correct non-compliances;



15.	Regarding claim 22, Fitzgerald teaches/suggests:
“receiving, from the hypervisor, a command that causes the host management component to enable, disable or uninstall a component or a feature of the component of the host device”
(¶ 41: management agent 105 is programmed or otherwise configured to provide access to the SMP of the guests/VM 107, and to provide management and control functions;
¶ 230: if the post-execution VM content violates policy or is otherwise non-compliant, then process 405 can implement one or more actions, such as log, disable VM;
¶ 290: enable firewall).


16.	Regarding claims 8, 10, and 14, they are the corresponding system claims reciting similar limitations of commensurate scope as the method of claims 1, 3, and 7, respectively. Therefore, they are rejected on the same basis as claims 1, 3, and 7 above, and further including the following:

	Fitzgerald teaches/suggests:
“a host device comprising a processor, and a host management component and a virtual machine execution environment executable by the processor; a storage device storing a plurality of computer instructions executable by the processor”
(Fig. 1 and ¶¶ 10–11).

17.	Regarding claims 15, 17, and 20, they are the corresponding computer program product claims reciting similar limitations of commensurate scope as the method of claims 1, 3, and 7, respectively. Therefore, they are rejected on the same basis as claims 1, 3, and 7 above.


B.
18.	Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Fitzgerald in view of (B) Cropper and (C) Shaposhnik, as applied to claims 1, 8, and 15 above, and further in view of (D) Barak.

19.	Regarding claim 2, Fitzgerald teaches/suggests:
“obtaining, by the host management component, data regarding a condition of the virtual machine … within the virtual machine execution environment”
(Fig. 2a: Event Handler;
¶ 61: event handler 217 is programmed or otherwise configured to provide VM host (such as host/VMM 103) and utility integration by logging events that affect a VM (such as a guest/VM 107) in a managed system … various events … are captured, hooked, or otherwise intercepted by the event handler); and

“wherein the compliance rule is assigned to the virtual machine, and the host management component determines that the virtual machine violates the compliance rule based on the condition”
(¶ 227: an “execution-watcher” functionality. In such an embodiment, the process 403 operates to periodically examine the running guest/VM 107. If the guest/VM 107 becomes non-compliant for any reason (e.g., based on policy), then process 403 can implement one or more remedial actions;
¶ 228: once the VM is running, the execution-watcher checks (e.g., on a configurable time interval) that the VM is in policy-compliance. If not, remedial action can be taken (e.g., by operation of process 403 itself, or other processes of the managed system, such as the enforce process 800).



	(D) Barak however teaches or suggests:
“obtaining … data regarding a condition of the virtual machine from a guest management component”
(¶ 32: Life cycle manager 301 may be an agent that is in charge of monitoring the life cycle (i.e., current state) of guest virtual machine 107 in cloud environment 101 as well as monitoring the integrity and enforcement of security policies on guest virtual machine 107. Life cycle manager 301 may receive from guest virtual machine 107 (e.g., a life cycle agent 321 on guest virtual machine 107), data regarding usage, state and integrity).

	Barak teaches virtual machine policy enforcement and thus is from the same field of endeavor and/or is reasonably pertinent to the particular problem faced by the inventor.

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Barak with those of Fitzgerald, Cropper, and Shaposhnik, to implement an agent to provide VM events and data to the VM host (VMM).  The motivation or advantage to do so is to implement distributed processing/control to provide additional usage, state, and integrity information to the VMM/host to validate each VM’s compliance with its policy.

20.	Regarding claim 9, it is the corresponding system claim reciting similar limitations of commensurate scope as the method of claim 2. Therefore, it is rejected on the same basis as claim 2 above.

claim 16, it is the corresponding computer program product claim reciting similar limitations of commensurate scope as the method of claim 2. Therefore, it is rejected on the same basis as claim 2 above.


C.
22.	Claims 5–6, 11, 13, and 18–19 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Fitzgerald in view of (B) Cropper and (C) Shaposhnik, as applied to claims 1, 8, and 15 above, and further in view of (E) Hu.

23.	Regarding claim 5, Fitzgerald and Cropper teach/suggest:
“wherein the compliance rule is assigned to the hypervisor, and the host management component determines that the virtual machine violates the compliance rule based on the condition”
(Fitzgerald, ¶ 225: getting compliance policies regarding a target VM;
¶¶ 57, 173, and 198, teaching policy-based checking of the VMs, as well as their respective host/VMM;
¶ 227: an “execution-watcher” functionality. In such an embodiment, the process 403 operates to periodically examine the running guest/VM 107. If the guest/VM 107 becomes non-compliant for any reason (e.g., based on policy), then process 403 can implement one or more remedial actions;
¶ 228: once the VM is running, the execution-watcher checks (e.g., on a configurable time interval) that the VM is in policy-compliance. If not, remedial action can be taken (e.g., by operation of process 403 itself, or other processes of the managed system, such as the enforce process 800;
Cropper, ¶ 80: policies may be assigned to particular hosts).

Fitzgerald is at least suggestive of “obtaining, by the host management component, data regarding a condition of the hypervisor from the hypervisor”

¶ 227, teaching using an “execution-watcher” functionality to check VM compliance).

Additionally, (E) Hu teaches or suggests:
“obtaining, by the host management component, data regarding a condition of the hypervisor from the hypervisor”
(¶ 36: a compliance specification 305 can also be derived from the hypervisor profile 203. A compliance specification 305 is in effect a set of compliance checks generated by the engine 301 from the description of the configuration in the profile 203 …. From time to time … a compliance component 307 uses the compliance specification 305 to verify that the hypervisors 201 generated based on the profile 203 are still in compliance therewith), and additionally

	“wherein the compliance rule is assigned to the hypervisor”
(¶ 34: apply a hypervisor profile 203 to one or more additional hypervisor(s) 201 by rendering the profile 201 to produce a configuration specification 303 describing a target hypervisor 201 configuration. More specifically, as explained above, a hypervisor profile 203 is data representing a set of policies).

Hu teaches hypervisor policy compliance and thus is from the same field of endeavor and/or is reasonably pertinent to the particular problem faced by the inventor.

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hu with those of Fitzgerald, Cropper, and Shaposhnik, to implement compliance agent on the VMM/host to examine/receive VMM events and data.  The motivation or advantage to do so is to validate and enforce each VMM/host’s compliance with its adapted policy (see Fitzgerald, ¶¶ 57, 173, and 198, teaching policy-based checking of the VMs, as well as their respective host/VMM).

24.	Regarding claim 6, Fitzgerald and Hu teach/suggest:
“wherein the action performed by the host management component comprises modifying a condition of the hypervisor”
(Fitzgerald, ¶¶ 57, 173, and 198, teaching policy-based checking of the VMs, as well as their respective host/VMM;
¶ 228: once the VM is running, the execution-watcher checks (e.g., on a configurable time interval) that the VM is in policy-compliance. If not, remedial action can be taken;
Hu, ¶ 36: Responsive to determining that a given hypervisor 201 is not in compliance, the compliance component 307 can take an appropriate action as desired ... update the configuration, etc.).

25.	Regarding claims 11 and 13, they are the corresponding system claims reciting similar limitations of commensurate scope as the method of claims 5 and 6, respectively. Therefore, they are rejected on the same basis as claims 5 and 6 above.

26.	Regarding claims 19 and 18, they are the corresponding computer program product claims reciting similar limitations of commensurate scope as the method of claims 5 and 6, respectively. Therefore, they are rejected on the same basis as claims 5 and 6 above.



Response to Arguments
27.	Applicant’s arguments with respect to the claims have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.



The Examiner reminds the Applicant that, in view of the latest revised Examining Procedure (as of the Ninth Edition, Revision 08.2017) and as set forth in Section 804, in order for a reply to an Office action that includes a non-statutory double patenting rejection to be considered responsive, Applicant must now file a terminal disclaimer, or file a showing that the claims subject to the rejection are patentably distinct from the reference claims. Moreover, “such a filing should not be held in abeyance. Only objections or requirements as to form not necessary for further consideration of the claims may be held in abeyance until allowable subject matter is indicated.”

Accordingly, the non-statutory double patenting rejections are maintained.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.




Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached on (571)272-3756.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BENJAMIN C WU/Primary Examiner, Art Unit 2195                                                                                                                                                                                                        
January 26, 2021