Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see remarks, filed 03-01-2021, with respect to claim objections and rejections under 35 USC 112 (b) have been fully considered and are persuasive in light of new amendments.  The objections rejections under 35 USC 112(b) are withdrawn. 
Applicant's arguments see remarks, filed 03-01-2021 regarding double patenting rejection have been fully considered but they are not persuasive. The attorney argues based on the amendments the rejection is overcome. The examiner disagrees with the contention because the prosecution of both the applications are pending. It is not clear whether the app. 16541395 would be amended with the same concept or with other modifications – as it can be broadly interpreted than “an appropriate security zone” shall be a user account bound VM. Therefore the rejection is currently maintained and based on the amendments and/or further prosecution the rejection shall be reconsidered. 
Applicant's arguments see remarks, filed 03-01-2021 Pgs. 3-4 regarding double patenting rejection have been fully considered but they are not persuasive. The attorney argues only based on the amended language which was not included for consideration that “the cited portions of Podvratnik do not relate to or teach anything about already executing virtual machines… this does not teach or suggest displaying on items to be displayed for a bound user account user specific indications that at least identify a bound user account as called for in the claim. Rather, it is related to the process of instantiating a VM in a particular host platform. Turning to Berrange, it appears to be related to enforcing security policies on the VMs using a context label to control resource access, but such does not appear to amount to actually an air-gapped computer… As to the alleged motivation for combining the references, any such motivation is irrelevant at least because the references do not teach all of the claim features. Thus, even assuming that a person having ordinary skill in the art would be motivated to combine the references, such a combination would not result in all of the claim features. Accordingly, the claimed invention would not be obvious to a person having ordinary skill in the art”. The examiner respectfully disagrees with the argument. The prior art Podvratnik teaches col. 5 lines 10-50: system contains a multitude of resource pools/host platforms hosting running instances of VMs. Each running VM also has a resource pool profile… Spare resources are calculated dynamically by comparing the VM resource usage profiles (user-specific VM resource usage profiles) … any resource shortage is quickly detected and an existing VM image instance is moved immediately to another resource pool. Hence the prior art does teach already running VM instances and requesting user’s resources are allocated dynamically. Even if arguendo, when the VM is instantiated and provisioned, it is ‘already running’ per the user requested usage pattern (URUP), RUP/HRUP based on the logged in user and then only the user is allowed access. The resources shall be ‘dynamically’ allocated when the VM(s) is/are in use i.e., already running. Furthermore ‘already running’ VMs nor binding user account to a VM is/are not considered as inventive concept as explained here and in prior art (Grechishkin et al US 8732607) and user accounts are bound to already instantiated from VM images and are provisioned instances of VMs (i.e., already running). The display of unique user account credentials are taught with prior art Berrange [0018, Fig. 3] each virtual machine of the virtualization host is assigned a unique login account associated with the network resources and each login account is configured to only permit access to the network resources associated with the virtual machine using that account and [0025] each context label of the context labels identifies one of the VMs. See MPEP 2141.02 VI. As to the arguments for motivation, it is changed in this rejection. Same reasoning is applied for the dependent claims 5, 9-11, 17, and 21-23 as same arguments are attributed as above. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). 
Also, see interview summary and allowable subject matter (in this OA). Therefore the rejection under 35 USC 103 is maintained. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11-03-2020 were in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claim 1 is objected to because of the following informalities:  “and causing at least one indication that at least identifies a bound user account to be displayed on at least one desktop item that is associated with the bound user account. displaying user specific indications on desktop items associated with each user account”.  The period between the account and display limitations needs to be corrected with a semi-colon. Appropriate correction is required.
Claim Interpretation
Claims 18 and 20 – 23 are objected to because of the following informalities:  the claims recite “where the system if further configured to:” It appears that the system may or may not be configured to perform the said processes. However, for prior art purposes it was treated as if the system executes it but it shall be that the system may not execute them in actuality. Appropriate correction is required.
Also, for claim 1, the last limitation “displaying user specific [indications] on desktop items associated with each user account.” – is considered redundant as the previous limitation itself recites the same information. The applicant is suggested to remove this limitation.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time-wise extension of the “right to exclude” granted by a patent and to prevent would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 2, 12, 13 and 14 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 11 and 12 of U.S. Application No. 16541395 in view of Podvratnik et al (US Pub. #: 9495215), hereafter Podvratnik. 
Instant App. 16580623
Pending App. 16541395
1. A method for binding a user account operable on an air-gapped computer to an appropriate already executing virtual machine (VM), comprising: monitoring a plurality of already executing VMs to determine an associated user account for each of the plurality of VMs, wherein the plurality of already executing VMs are executed over the air-gapped computer, and wherein each of the plurality of already executing VMs is a distinct security zone in the air-gapped computer; determining a current VM from the plurality of already executing VMs to bind to a user account; binding an associated the user account thereto to the determined VM, thereby associating the user account with the virtual machine; and causing at least one displaying user specific indications indication that at least identifies a bound user account to be displayed on at least one desktop item items that is associated with each the bound user account; displaying user specific indications on desktop items associated with each user account.
2. The method of claim 1, wherein a VM is associated with a user account based on predetermined characteristics.
12. A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry of an air-gapped computer havinq at least an appropriate executinq virtual machine (VM) to perform a process, the process comprising: monitoring a plurality of already executing VMs to determine an associated user account for each of the plurality of VMs, wherein the plurality of already executing VMs are executed over the air-gapped computer, and wherein each of the plurality of already executing VMs is a distinct security zone in the air-gapped computer; determining a current VM from the plurality of already executing VMs to bind to a user account; binding an associated the user account thereto to the determined VM, thereby associating the user account with the virtual machine; and causing at least one displaying user specific indications indication that at least identifies a bound user account to be displayed on at least one desktop item items that is associated with each the bound user account.
13. An air gapped computer, comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: monitor a plurality of already executing virtual machines (VMs) to determine an associated user account for each of the plurality of VMs, wherein the plurality of already executing VMs are executed over the air-gapped computer, and wherein each of the plurality of already executing VMs is a distinct security zone in the air-gapped computer determine a current VM from the plurality of already executing VMs to bind to a user account; bind an associated the user account thereto to the determined VM, thereby associating the user account with the virtual machine; and cause at least one display user specific indications indication that at least identifies a bound user account to be displayed on at least one desktop item items that is associated with each the bound user account.
14. The system of claim 13, wherein a VM is associated with a user account based on predetermined characteristics.
already executing virtual machine, comprising: monitoring a plurality of already executing virtual machines to detect at least one user request to be executed within a security zone, wherein each security zone is realized as and corresponds to one of the already executing virtual machines; intercepting the user request and analyzing a level of permission required to complete the user request; determining an appropriate security zone (i.e., bound user account) in which to execute the user request, wherein the appropriate security zone has the required level of permission; and executing the user request in the appropriate security zone.
11. A non-transitory computer readable medium having stored thereon instructions for monitoring a plurality of already executing virtual machines to detect at least one user request to be executed within a security zone, wherein each security zone is realized as and corresponds to one of the already executing virtual machines; Page 3 of 10USSN: 16/541,395 Docket: HYLT P1385 intercepting the user request and analyzing a level of permission required to complete the user request; determining an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and executing the user request in the appropriate security zone.
12. An air-gapped endpoint, comprising: a network card interface; a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the air-gapped endpoint to: monitor a plurality of already executing virtual machines to detect at least one user request to be executed within a security zone, wherein each security zone is realized as and corresponds to one of the already executing virtual machines; intercept the user request and analyzing a level of permission required to complete the user request; determine an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and execute the user request in the appropriate security zone.


App. 16541395 recites most elements of the instant app. 16580623 but is silent on determining a current VM from the plurality of VMs to bind an associated user account thereto; and displaying user specific indications on desktop items associated with each user account.
However, the analogous art Podvratnik teaches determining a current VM from the plurality of VMs to bind an associated user account thereto; and displaying user specific indications on Col. 7 lines 13-18, Fig. 4: the engine determines a current VM from a plurality of VMs based on availability of associated user-specific VM resource profile (URUP); Col. 7 lines 9-40, Fig. 4: based on the available URUP, in combination with RUP and instantiates or selects (Col. 8 lines 3-8) a host platform and informs the user).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of App. 16541395 to include the idea of binding a user account to a VM and displaying user specific indications as taught by Podvratnik thus minimizing user wait time, and increase user satisfaction. (Col. 9 lines 35-36).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 4, 6, 12 – 16 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Podvratnik et al (US Pub. #: 9495215), hereafter Podvratnik and Berrange; Daniel (US Pub. #: 20170048249), hereafter Berrange.
Claim 1: Podvratnik teaches a method for binding a user account operable on an air-gapped computer to an appropriate already executing virtual machine (VM), comprising: monitoring a plurality of already executing VMs Col. 2 lines 12-53, Fig. 1: the system monitors (Col. 4 lines 48-54) the plurality of running instances of VMs and determines a user-specific VM among a plurality of running VMs (Col. 5 lines 18-23); col. 5 lines 10-11, Fig. 1: system contains a multitude of resource pools/host platforms hosting running instances of VMs);
determining a already executing VMs to bind to a user account; (Col. 7 lines 13-18, Fig. 4: the engine determines a current VM from a plurality of VMs based on availability of associated User-specific VM Resource Usage Profile (URUP) and (col. 5 lines 35-41) dynamically computing resource allocations based on user-specific VM resource usage profiles for running VM image instances; Col. 7 lines 9-40, Fig. 4: based on the available logged in user’s URUP, in combination with RUP and selects (Col. 8 lines 3-8) a host platform and informs the requesting user (col. 4 lines 53-57) the provisioning of a particular running VM image instance by the system based on the stored user profile of the logged in user);
Podvratnik teaches the claimed concept but is silent on wherein the plurality of already executing VMs are executed over the air-gapped computer, and wherein each of the plurality of already executing VMs is a distinct security zone in the air-gapped computer; binding the user account to the determined VM, thereby associating the user account with the virtual machine; and causing at least one indication that at least identifies a bound user account to be displayed on at least one desktop item that is associated with the bound user account. displaying user specific indications on desktop items associated with each user account.
However, the analogous art Berrange teaches wherein the plurality of already executing VMs are executed over the air-gapped computer, and wherein each of the plurality of already executing VMs is a distinct security zone in the air-gapped computer; ([0018-22, Fig. 1] the system comprises a plurality of VMs executed via a private network, wherein each of the plurality of VMs is an [0013] isolated secure domain in the system, each login account may be configured to only permit access to the network resources associated with the virtual machine using that account).
binding the user account to the determined VM, thereby associating the user account with the virtual machine; ([0018, Fig. 3] each virtual machine of the virtualization host is assigned a unique login account associated with the network resources and each login account is configured to only permit access to the network resources associated with the virtual machine using that account);
and causing at least one indication that at least identifies a bound user account to be displayed on at least one desktop item that is associated with the bound user account. displaying user specific indications on desktop items associated with each user account. ([0038-41, Fig. 3] dynamically user accounts are created, for each virtual machine when required and permits a given user account to access the specific virtual machine using that user account and [0025] each context label of the context labels identifies one of the VMs... identity that a user is authenticated with (UNIX login name/group), and the identity under which access control decisions are made at a VM level (labeling using security context labels));
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Podvratnik to include the idea of having a plurality of VMs running in a private network as taught by Berrange thus providing isolation for local processes to prevent them from interfering with each other or the physical layer of the system and to isolate the resources from amongst the different VMs ([0025, 29]).
Claim 12: Podvratnik teaches a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry of an air-gapped computer having at least an appropriate executing virtual machine (VM) to perform a process, the process comprising: monitoring a plurality of already executing VMs already executing VMs to bind to a user account; (Col. 2 lines 12-53, Fig. 1: the system monitors (Col. 4 lines 48-54) the plurality of running instances of VMs and determines a user-specific VM among a plurality of running VMs (Col. 5 lines 18-23); col. 5 lines 10-11, Fig. 1: system contains a multitude of resource pools/host platforms hosting running instances of VMs; Col. 7 lines 13-18, Fig. 4: the engine determines a current VM from a plurality of VMs based on availability of associated User-specific VM Resource Usage Profile (URUP) and (col. 5 lines 35-41) dynamically computing resource allocations based on user-specific VM resource usage profiles for running VM image instances; Col. 7 lines 9-40, Fig. 4: based on the available logged in user’s URUP, in combination with RUP and selects (Col. 8 lines 3-8) a host platform and informs the requesting user (col. 4 lines 53-57) the provisioning of a particular running VM image instance by the system based on the stored user profile of the logged in user); 
Podvratnik teaches the claimed concept but is silent on wherein the plurality of VMs are executed over the air-gapped computer, and wherein each of the plurality of VMs is a distinct security zone in the air-gapped computer; binding the user account to the determined VM, thereby associating the user account with the virtual machine; and causing at least one indication that at least identifies a bound user account to be displayed on at least one desktop item that is associated with the bound user account.
However, the analogous art Berrange teaches wherein the plurality of VMs are executed over the air-gapped computer, and wherein each of the plurality of VMs is a distinct security zone in the air-gapped computer; binding the user account to the determined VM, thereby associating the user account with the virtual machine; and causing at least one indication that at least identifies a bound user account to be displayed on at least one desktop item that is associated with the bound user account. ([0018-22, Fig. 1] the system comprises a plurality of VMs executed via a private network, wherein each of the plurality of VMs is an [0013] isolated secure domain in the system, each login account may be configured to only permit access to the network resources associated with the virtual machine using that account; [0018] each virtual machine of the virtualization host is assigned a unique login account associated with the network resources and each login account is configured to only permit access to the network resources associated with the virtual machine using that account; [0038-41, Fig. 3] dynamically user accounts are created, for each virtual machine when required and permits a given user account to access the specific virtual machine using that user account and [0025] each context label of the context labels identifies one of the VMs... identity that a user is authenticated with (UNIX login name/group), and the identity under which access control decisions are made at a VM level (labeling using security context labels)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Podvratnik to include the idea of having a plurality of VMs running in a private network as taught by Berrange thus providing isolation for local processes to prevent them from interfering with each other or the physical layer of the system and to isolate the resources from amongst the different VMs ([0025, 29]).
Claim 13: Podvratnik teaches an air gapped computer, comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: monitor a plurality of already executing virtual machines (VMs) (Col. 2 lines 12-53, Fig. 1: the system monitors (Col. 4 lines 48-54) the plurality of running instances of VMs and determines a user-specific VM among a plurality of running VMs (Col. 5 lines 18-23); col. 5 lines 10-11, Fig. 1: system contains a multitude of resource pools/host platforms hosting running instances of VMs; Col. 7 lines 13-18, Fig. 4: the engine determines a current VM from a plurality of VMs based on availability of associated User-specific VM Resource Usage Profile (URUP) and (col. 5 lines 35-41) dynamically computing resource allocations based on user-specific VM resource usage profiles for running VM image instances; Col. 7 lines 9-40, Fig. 4: based on the available logged in user’s URUP, in combination with RUP and selects (Col. 8 lines 3-8) a host platform and informs the requesting user (col. 4 lines 53-57) the provisioning of a particular running VM image instance by the system based on the stored user profile of the logged in user); 
Podvratnik teaches the claimed concept but is silent on wherein the plurality of VMs are executed over the air-gapped computer, and wherein each of the plurality of VMs is a distinct security zone in the air-gapped computer; bind the user account to the determined VM, thereby associating the user account with the virtual machine; and cause at least one indication that at least identifies a bound user account to be displayed on at least one desktop item that is associated with the bound user account.
However, the analogous art Berrange teaches wherein the plurality of VMs are executed over the air-gapped computer, and wherein each of the plurality of VMs is a distinct security zone in the air-gapped computer; bind the user account to the determined VM, thereby associating the user account with the virtual machine; and cause at least one indication that at least identifies a bound user account to be displayed on at least one desktop item that is associated with the bound user account. ([0018-22, Fig. 1] the system comprises a plurality of VMs executed via a private network, wherein each of the plurality of VMs is an [0013] isolated secure domain in the system, each login account may be configured to only permit access to the network resources associated with the virtual machine using that account; [0018] each virtual machine of the virtualization host is assigned a unique login account associated with the network resources and each login account is configured to only permit access to the network resources associated with the virtual machine using that account; [0038-41, Fig. 3] dynamically user accounts are created, for each virtual machine when required and permits a given user account to access the specific virtual machine using that user account and [0025] each context label of the context labels identifies one of the VMs... identity that a user is authenticated with (UNIX login name/group), and the identity under which access control decisions are made at a VM level (labeling using security context labels)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Podvratnik to include the idea of having a plurality of VMs running in a private network as taught by Berrange thus providing isolation for local processes to prevent them from interfering with each other or the physical layer of the system and to isolate the resources from amongst the different VMs ([0025, 29]).
Claim 2: the combination of Podvratnik and Berrange teaches the method of claim 1, wherein a VM is associated with a user account based on predetermined characteristics. (Podvratnik: Col. 7 lines 19-23: If the URUP exists, the Placement Engine combines data from the Resource Usage Profile (RUP) of a VM image and the URUP of the requesting user to consider user-specific usage patterns (URUP) for a VM of a given type (col. 4 lines 54-55) for the logged in user).
Claim 3: the combination of Podvratnik and Berrange teaches the method of claim 2, wherein the predetermined characteristics include at least one of: use of a type of email server, access to a shared drive, and web browser customizations. (Podvratnik: Col. 1 lines 58-62: the user-specific VM resource usage profile including resource usage data, the resource usage data indicating a predicted user-specific resource consumption (Col. 4 lines 66-67 CPU usage, memory usage, disc storage usage, etc.) of the requested instance of the indicated VM image over the first period of time).
Claim 4: the combination of Podvratnik and Berrange teaches the method of claim 1, wherein the user specific indications include at least one of: a colored window border, a unique window border, and a relevant avatar. (Berrange: [0014, 48] each guest domain is assigned a security context label to uniquely identify a specific guest domain (virtual machine), account data includes an account credential that uniquely identifies the virtual machine).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Podvratnik to include the idea of having a user specific indication as taught by Berrange thus provide isolation for local processes to prevent them from interfering with each other or the physical layer of the system and to isolate the resources from amongst the different VMs ([0025, 29]).
Claim 6: the combination of Podvratnik and Berrange teaches the method of claim 1, further comprising: monitoring password inputs in the current VM; and warning a user when a password of a monitored password input is detected in a non-appropriate VM. (Berrange: [0015, 0026-27] the host OS denies access unless there is a policy rule permitting the guest domain access and a match between the security context labels associated with the guest domain and the disk; [0039-40, Figs. 5 and 6] The user authentication unit creates a unique user account (user-name & password)... permissions are set such that the user account associated with the virtual machine only has the ability to access the network-based resources that are to be assigned to it).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Podvratnik to include the idea of having a user specific indication for passwords as taught by Berrange thus provide isolation for local processes to prevent them from interfering with each other or the physical layer of the system and to isolate the resources from amongst the different VMs ([0025, 29]).
Claim 14: the combination of Podvratnik and Berrange teaches the system of claim 13, wherein a VM is associated with a user account based on predetermined characteristics. (Podvratnik: Col. 7 lines 19-23: If the URUP exists, the Placement Engine combines data from the Resource Usage Profile (RUP) of a VM image and the URUP of the requesting user to consider user-specific usage patterns (URUP) for a VM of a given type).
Claim 15: the combination of Podvratnik and Berrange teaches the system of claim 14, wherein the predetermined characteristics include at least one of: use of a type of email server, access to a shared drive, and web browser customizations. (Podvratnik: Col. 1 lines 58-62: the user-specific VM resource usage profile including resource usage data, the resource usage data indicating a predicted user-specific resource consumption (Col. 4 lines 66-67 CPU usage, memory usage, disc storage usage, etc.) of the requested instance of the indicated VM image over the first period of time).
Claim 16: the combination of Podvratnik and Berrange teaches the system of claim 13, wherein the user specific indications include at least one of: a colored window border, a unique window border, and a relevant avatar. (Berrange: [0014] each guest domain is assigned a security context label to uniquely identify a specific guest domain (virtual machine)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Podvratnik to include the idea of having a user specific indication as taught by Berrange thus provide isolation for local processes to prevent them from interfering with each other or the physical layer of the system and to isolate the resources from amongst the different VMs ([0025, 29]).
Claim 18: the combination of Podvratnik and Berrange teaches the system of claim 13, where the system if further configured to: monitor password inputs in the current VM; and warn a user when a password of a monitored password input is detected in a non- appropriate VM. (Berrange: [0015, 0026-27] the host OS may deny access unless there is a policy rule permitting the guest domain access and a match between the security context labels associated with the guest domain and the disk; [0039-40, Figs. 5 and 6] The user authentication unit creates a unique user account (user-name & password)... permissions are set such that the user account associated with the virtual machine only has the ability to access the network-based resources that are to be assigned to it).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Podvratnik to include the idea of having a user specific indication for passwords as taught by Berrange thus provide isolation for local processes to prevent them from interfering with each other or the physical layer of the system and to isolate the resources from amongst the different VMs ([0025, 29].
Claims 5, 9 – 11, 17 and 21 – 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Podvratnik and Berrange as applied to claims above, and further in view of Momchilov et al (US Pub. #: 9210213), hereafter Momchilov.
Claim 5: the combination of Podvratnik and Berrange teaches the method of claim 1, but is silent on wherein the user specific indications are displayed as topmost graphics in the VM.
However, the analogous art Momchilov teaches wherein the user specific indications are displayed as topmost graphics in the VM.  (Col. 34 lines 65-67: the host agent sends windows information: window position, size, styles, and window text for all the top-level windows on the client device (Col. 35 lines 28-30, 36-37) by reproducing the owner/owned relationship among windows, TOP MOST flag in the window style, all graphics output goes directly to the screen).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Podvratnik and Berrange to include the idea of having labelling windows with topmost graphics as taught by Momchilov so that users can seamlessly use local and remote applications during regular business operation or remote applications hosted on multiple servers at the same time (Col. 34 lines 34-37).
Claim 9: the combination of Podvratnik and Berrange teaches the method of claim 1, further comprising: capturing user credentials associated with the user account; sending the user credentials to a hypervisor; (Berrange: [0031] When hot-unplugging the resource or shutting down a virtual machine, the security context labels are reset to deny any further access using those labels; [0046] the user authentication unit may pass the VM connection details for the network-attached storage device including the unique user account & password it is allowed to use... the processing device validates (e.g., authorizes or rejects) the request in view the first and second security context labels and the security context data structure).

However, the analogous art Momchilov teaches logging onto all appropriate VMs with the user credentials from the hypervisor.  (Col. 32 lines 60-67: SSPI (Security Support Provider Interface) authenticates the user and returns a logon token, the client then uses the logon token to launch published applications in the context of B (Cols. 46-47 lines 66-67, 1-10) and enables parent-child association between VDAs and (Col. 40 lines 4-6) uses the GUID to uniquely identify sessions in scenarios where multiple simultaneous sessions are launched from the same client).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Podvratnik and Berrange to include the idea of having logging into all windows with as single sign-on as taught by Momchilov so that users can seamlessly use local and remote applications during regular business operation or remote applications hosted on multiple servers at the same time (Col. 34 lines 34-37).
Claim 10: the combination of Podvratnik and Berrange teaches the method of claim 9, further comprising: but is silent on authenticating the user credentials using multi-factor authentication generated by the hypervisor.
However, the analogous art Momchilov teaches authenticating the user credentials using multi-factor authentication generated by the hypervisor.  (Col. 21 lines 61-67: multi-factor authentication is done using network-level and (Col. 32 lines 54-58) VDA level authentication of user generated by a hypervisor).
Col. 34 lines 34-37).
Claim 11: the combination of Podvratnik and Berrange teaches the method of claim 9, further comprising: but is silent on logging off all appropriate VMs when a single log off from a VM is detected.
However, the analogous art Momchilov teaches logging off all appropriate VMs when a single log off from a VM is detected.  (Col. 29 lines 61-65: if the remote desktop or virtual machine logs off or shuts down, existing published application windows are closed, via an API call to the local client's window manager, and processes associated with these windows are gracefully exited).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Podvratnik and Berrange to include the idea of multi-factor authentication by hypervisor as taught by Momchilov so that users can seamlessly use local and remote applications during regular business operation or remote applications hosted on multiple servers at the same time (Col. 34 lines 34-37).
Claim 17: the combination of Podvratnik and Berrange teaches the system of claim 13, but is silent on wherein the user specific indications are displayed as topmost graphics in the VM.
However, the analogous art Momchilov teaches wherein the user specific indications are displayed as topmost graphics in the VM.  (Col. 34 lines 65-67: the host agent sends windows information: window position, size, styles, and window text for all the top-level windows on the client device (Col. 35 lines 28-30, 36-37) by reproducing the owner/owned relationship among windows, TOP MOST flag in the window style, all graphics output goes directly to the screen).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Podvratnik and Berrange to include the idea of having labelling windows with topmost graphics as taught by Momchilov so that users can seamlessly use local and remote applications during regular business operation or remote applications hosted on multiple servers at the same time (Col. 34 lines 34-37).
Claim 21: the combination of Podvratnik and Berrange teaches the system of claim 13, where the system if further configured to: capture user credentials associated with the user account; send the user credentials to a hypervisor; (Berrange: [0046] the user authentication unit may pass the VM connection details for the network-attached storage device including the unique user account & password it is allowed to use... the processing device validates [0019] via a hypervisor (e.g., authorizes or rejects) the request in view the first and second security context labels and the security context data structure).
The combination is silent on and log onto all appropriate VMs with the user credentials from the hypervisor.
However, the analogous art Momchilov teaches and log onto all appropriate VMs with the user credentials from the hypervisor.  (Col. 32 lines 60-67: SSPI (Security Support Provider Interface) authenticates the user and returns a logon token, the client then uses the logon token to launch published applications in the context of B (Cols. 46-47 lines 66-67, 1-10) and enables parent-child association between VDAs and (Col. 40 lines 4-6) uses the GUID to uniquely identify sessions in scenarios where multiple simultaneous sessions are launched from the same client).
Col. 34 lines 34-37).
Claim 22: the combination of Podvratnik and Berrange teaches the system of claim 21, where the system if further configured to: but is silent on authenticate the user credentials using multi-factor authentication generated by the hypervisor.
However, the analogous art Momchilov teaches authenticating the user credentials using multi-factor authentication generated by the hypervisor. (Col. 21 lines 61-67: multi-factor authentication is done using network-level and (Col. 32 lines 54-58) VDA level authentication of user generated by a hypervisor).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Podvratnik and Berrange to include the idea of multi-factor authentication by hypervisor as taught by Momchilov so that users can seamlessly use local and remote applications during regular business operation or remote applications hosted on multiple servers at the same time (Col. 34 lines 34-37).
Claim 23: the combination of Podvratnik and Berrange teaches the system of claim 21, where the system if further configured to: but is silent on log off all appropriate VMs when a single log off from a VM is detected.
However, the analogous art Momchilov teaches log off all appropriate VMs when a single log off from a VM is detected. (Col. 29 lines 61-65: if the remote desktop or virtual machine logs off or shuts down, existing published application windows are closed, via an API call to the local client's window manager, and processes associated with these windows are gracefully exited).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Podvratnik and Berrange to include the idea of multi-factor authentication by hypervisor as taught by Momchilov so that users can seamlessly use local and remote applications during regular business operation or remote applications hosted on multiple servers at the same time (Col. 34 lines 34-37).

Allowable Subject Matter
Claims 7, 8, 19 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.







/BADRINARAYANAN /Examiner, Art Unit 2438.