DETAILED ACTION
The following claims are pending in this office action: 1, 3, 5-8, 10, 12-15, 17 and 19-21
The following claims are amended: 1, 3, 5-6, 8, 10, 12-15 and 17
The following claims are new: 20-21
The following claims are cancelled: 2, 4, 9, 11, 16 and 18
Claims 1, 3, 5-8, 10, 12-15, 17 and 19-21 are rejected. This rejection is FINAL.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
RESPONSE TO ARGUMENTS
Applicant’s arguments filed in the amendment filed 02/22/2022 have been fully considered but are moot in view of new grounds of rejection necessitated by amendment. 
Independent claim 1 is amended to recite “adding the component to or activating the component in the secure computing infrastructure, wherein the adding or activating enables the component to communicate with devices of the secure computing infrastructure with the one or more security restrictions applied to the component”.  This limitation has been mapped to Innes et al. (US Patent No. 10,841,316) below and rejected accordingly.  
Applicant notes examiner maps the “component” of claim 1 to the boot server of Raj.  However, because the boot server is disconnected from the network, the boot server is prevented from communicating with the other devices.    The component has been remapped to the client device/VM of Innes et al. (US Patent No. 10,841,316) below and rejected accordingly.  
Applicant notes Raj fails to teach or suggest adding or activating the boot server based on a determination that the boot server is not trustworthy.  This has been remapped to allowing access to the client device/VM of Innes et al. (US Patent No. 10,841,316) below and rejected accordingly.   
Independent claims 8 and 15 are amended in a similar way to claim 1 and is mapped to Innes et al. (US Patent No. 10,841,316) below and rejected accordingly.  
Dependent claims 3, 5-7, 10, 12-14, 17 and 19 depend on independent claims 1, 11, and 16.  The amended elements in the independent claims have been mapped to Innes et al. (US Patent No. 10,841,316) and Allen (US Patent No. 9,135,437) below, and so any additional features to the dependent claims are rejected accordingly.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 8, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Innes et al. (US Patent No. 10,841,316) (hereinafter “Innes”) and in view of Raj et al. (US Pub. 2013/0054948) (hereinafter “Raj”). 

As per claim 1, Innes teaches a method for establishing and maintaining a secure computing infrastructure, the method comprising: upon an attestation event ([Innes, col. 52, ln. 7-12] a gateway server using an attestation service, attests the user device during device authentication using a label that is determined using the context information of the device [see col. 51, ln. 29-31]), determining that a component to be added to or activated in the [secure] computing infrastructure ([col. 1, ln. 48-52; col. 7, ln. 16-20] the client device/machine [a component] is given access [added/activated] to one or more resources in a remote computing environment [computing infrastructure] dependent upon the attestation event; Raj below more clearly discloses that the component may be added/activated to a secure computing infrastructure), is not trustworthy; and ([col. 56, ln. 28-36; col. 56, ln. 54-67] based upon the context information of the device the gateway, based on above attestation service involved in device authentication, determines that the device is an unmanaged device [not trustworthy as policies are in place to prevent the unmanaged devices to access trusted resources – see col. 14, ln. 22-27]) 
based on the determination that the component is not trustworthy, applying one or more security restrictions to the component, and ([Innes, col. 57, ln. 4-15] an unmanaged device is assigned a green label, which applies the security restriction of not allowing the device to access sensitive data; [col. 40, ln. 31-44] using the label, security groups denying access to network resources [security restrictions] are applied to the device)
adding the component to or activating the component in the [secure] computing infrastructure, ([Innes, col. 57, ln. 34-48] the reconnection process is completed and the applications are launched; reconnecting is where an unmanaged/untrusted device is connected/added/activated to the remote computing environment [see col. 56, ln. 33-36]; Raj below more clearly discloses that the component may be added/activated to a secure computing infrastructure) wherein the adding or activating enables the component to communicate with devices of the [secure] computing infrastructure ([col. 57, ln. 43-48] by connecting to the remote computing environment the user device may access database servers, file shares, mailboxes and the like using Kerberos/SSL/TLS after the reconnection process is completed]; Raj below more clearly discloses that the component may be added/activated to a secure computing infrastructure) with the one or more security restrictions applied to the component. ([col. 57, ln. 49-53] however, sensitive data repositories become inaccessible; [col. 40, ln. 31-44] security groups denying access to network resources [security restrictions] are applied to the device])
Innes does not clearly teach adding or activating a component in a secure computing infrastructure.  (However, see col. 13, ln. 58-61, the enterprise resources are secured, and so the remote computing environment that includes enterprise resources is a secure computing environment)
However, Raj teaches adding or activating a component in a secure computing environment.  ([Raj, Fig. 1-2, para. 0015; para. 0029; para. 0030] a computer system includes a boot server and production server devices [a secure cloud computing environment/computing infrastructure] which enables secure booting [activation/adding] of a guest OS [a component])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Innes with the teachings of Raj to include adding or activating a component in a secure computing infrastructure.  One of ordinary skill in the art would have been motivated to make this modification because including a secure computing environment provides the benefit of improving the security its customers by isolating the guest VM [client device – see col. 7 ln. 25-34 of Innes where the client device is clearly described as a VM] from other guest VMs [other client devices], while still providing various applications/services. (Raj, para. 0015)

As per claim 8, Innes teaches A computer system for establishing and maintaining a [secure] computing infrastructure, the computer system comprising: a plurality of servers, the plurality of servers including one or more virtual machines (VMs); ([Innes, Fig. 2; col. 7 ln. 61-64] a cloud computing environment [computer system] includes more than one server [a plurality of servers].  [Col. 8, ln. 67 to col. 9, ln. 1-2; col. 10, ln. 64-67 to col. 11, ln. 1-24] the servers includes one or more unsecure/secure virtual machines.  Raj below more clearly discloses that the component may be added/activated to a secure computing infrastructure)
an application running in the computer system performs a method comprising: ([Innes, Fig. 2, col. 6, ln. 21-25] the cloud computing environment [computing system] by means of software [an application] performs the method described) determining that a component to be added to or activated in the secure computing infrastructure ([col. 1, ln. 48-52; col. 7, ln. 16-20] the client device/machine [a component] is given access [added/activated] to one or more resources in a remote computing environment [computing infrastructure] dependent upon the attestation event; Raj below more clearly discloses that the component may be added/activated to a secure computing infrastructure), is not trustworthy, and ([col. 56, ln. 28-36; col. 56, ln. 54-67] based upon the context information of the device the gateway, based on above attestation service involved in device authentication, determines that the device is an unmanaged device [not trustworthy as policies are in place to prevent the unmanaged devices to access trusted resources – see col. 14, ln. 22-27])
based on the determination that the component is not trustworthy, ([Innes, col. 57, ln. 4-15] based on the determination the device is an unmanaged device, the device is assigned a green label) 
applying one or more security restrictions to the component, and, ([Innes, col. 40, ln. 31-44] using the label, security groups denying access to network resources [security restrictions] are applied to the device)
enabling the component to be added to or activated in the [secure] computing infrastructure, ([Innes, col. 57, ln. 34-48] the applications are launched, enabling the reconnection process for the device; reconnecting is where an unmanaged/untrusted device is connected/added/activated to the remote computing environment [see col. 56, ln. 33-36]; Raj below more clearly discloses that the component may be added/activated to a secure computing infrastructure) wherein the enabling of the component to be added or activated further enables the component to communicate with devices of the [secure] computing infrastructure ([col. 57, ln. 43-48] by connecting to the remote computing environment the user device may access database servers, file shares, mailboxes and the like using Kerberos/SSL/TLS after the reconnection process is completed]; Raj below more clearly discloses that the component may be added/activated to a secure computing infrastructure) with the one or more security restrictions applied to the component.  ([col. 57, ln. 49-53] however, sensitive data repositories become inaccessible; [col. 40, ln. 31-44] security groups denying access to network resources [security restrictions] are applied to the device])
Innes does not clearly teach adding or activating a component in a secure computing infrastructure; a plurality of networks coupled to the plurality of servers, the plurality of networks including a storage network; and a plurality of storage components coupled to the storage network, wherein when a storage component or a VM is to be added to or first used in the secure computing infrastructure.  
However, Raj teaches However, Raj teaches adding or activating a component in a secure computing environment;  ([Raj, Fig. 1-2, para. 0015; para. 0029; para. 0030] a computer system includes a boot server and production server devices [a secure cloud computing environment/computing infrastructure] which enables secure booting [activation/adding] of a guest OS [a component])
a plurality of networks coupled to the plurality of servers, the plurality of networks including a storage network; and ([Raj, Fig. 2; para. 0027; para. 0031] a plurality of networks is connected to the servers including networks for storage devices [storage networks])
a plurality of storage components coupled to the storage network, ([Raj, Fig. 2; para. 0031] a plurality of storage devices is in communication with the servers described)
wherein when a storage component or a VM is to be added to or first used in the secure computing infrastructure. ([Raj, para. 0004]  when a guest VM offering storage and networking capabilities [storage component or VM - see para. 0021] is booted [first used] on the computing infrastructure)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Innes with the teachings of Raj to include adding or activating a component in a secure computing environment; a plurality of networks coupled to the plurality of servers, the plurality of networks including a storage network; and a plurality of storage components coupled to the storage network, wherein when a storage component or a VM is to be added to or first used in the secure computing infrastructure.  One of ordinary skill in the art would have been motivated to make this modification because including a secure computing environment provides the benefit of improving the security its customers by isolating the guest VM [client device – see col. 7 ln. 25-34 of Innes where the client device is clearly described as a VM] from other guest VMs [other client devices], while still providing various applications/services. (Raj, para. 0015)

As per claim 15, Innes teaches a non-transitory computer-readable medium comprising instruction in a computer system wherein the instruction when executed in the computer system cause the computer system to carry out a method.  ([Innes, col. 5, ln. 34-67] program instructions in hardware such as hard disk [non-transitory computer-readable medium] are executed by computers such as the cloud computing environment [computer system] which implement the method described)
The method performs the steps of the method of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus is rejected with the same rational applied against claim 1.  

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Innes in view of Raj as applied to claim 1, 8, and 15 above, and further in view of Allen (US Patent No. 9,135,437) (hereinafter “Allen”). 

As per claim 3, Innes in view of Raj teaches claim 1.  
Innes in view of Raj does not teach wherein applying the one or more security restrictions includes only allowing the component to perform operations that do not involve encryption.  
However, Allen teaches wherein applying the one or more security restrictions ([Allen, col. 11, ln. 11-17] the cryptographic policy system under the control of a hypervisor and enforcing an application on a VM [the component, see col. 2, ln. 18-27] determines that an application employs cryptographic algorithms, determines that those cryptographic algorithms are disallowed, and takes one or more remediating actions [security restriction] in response to the determination) includes only allowing the component to perform operations that do not involve encryption.  ([Col. 8, ln. 62-67 to col. 9, ln. 9-10] based on the determination that the implementation of the cryptographic algorithm is disallowed by the policy, the hypervisor blocks execution of that portion of computer executable instructions by the virtual machine [only allowing the component to perform operation that do not involve encryption])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Innes in view of Raj with the teachings of Allen to include wherein applying the one or more security restrictions includes only allowing the component to perform operations that do not involve encryption.  One of ordinary skill in the art would have been motivated to make this modification because preventing an application/device from using encryption, for example because it uses a key for encryption that does not exceed a minimum complexity, prevents unapproved or insufficiently secure use of cryptography algorithms that may be introduced into the system by the application/devices. (Allen, col. 8, ln. 53-61; col. 2, ln. 47-56)

As per claim 10, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 17, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

Claims 5-7, 12-14, and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Innes in view of Raj as applied to claims 1, 8, and 15 above and further in view of Cucinotta et al. (US Pub. 2015/0089589) (hereinafter “Cucinotta”).

As per claim 5, Innes in view of Raj teaches claim 1.  
Innes in view of Raj does not teach wherein applying the one or more security restriction includes: encrypting data transferred to or through the component; and decrypting data received from the component.
However, Cucinotta teaches wherein applying the one or more security restriction includes: encrypting data transferred to or through the component; ([Cucinotta, Fig. 1; para. 0007] the method disclosed allows for isolation [applies a security restriction] of untrusted virtual machines such as those found in cloud computing infrastructures. [Fig. 1; para. 0065] all data transferred to or through the untrusted domain 80 [the untrusted VM/ untrusted component] must pass through the encryption hardware 40B which is hardwired to forcibly encrypt the data before)
and decrypting data received from the component.  ([Cucinotta, Fig. 1; para. 0064] all incoming communications received from the untrusted domain 80 [the untrusted VM/the untrusted component] must pass through the decryption hardware 40A which is hardwired to decrypt the received data)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Innes in view of Raj with the teachings of Cucinotta to include wherein applying the one or more security restriction includes: encrypting data transferred to or through the component; and decrypting data received from the component.  One of ordinary skill in the art would have been motivated to make this modification because this prevent access to data within the trusted domain that is not intended to be provided to the component, prevents any unencrypted data from exiting the trusted domain, and preserves integrity of the data.  (Cucinotta, para. 0013-0015)

As per claim 6, Innes in view of Raj and further in view of Cucinotta teaches claim 5.  
Innes in view of Raj does not teach wherein encrypting and decrypting the data is performed with the aid of a security module.
However, Cucinotta teaches wherein encrypting and decrypting the data is performed with the aid of a security module. ([Cucinotta, Fig. 1; para. 0063-0065] the encrypting and decrypting is performed by the trusted cryptographic hardware unit, a security module, which includes the decryption and encryption hardware)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Innes in view of Raj with the teachings of Cucinotta to include encrypting and decrypting the data is performed with the aid of a security module.  One of ordinary skill in the art would have been motivated to make this modification because using a hardware security module allows the trusted domain to avoid malicious software overriding or reprogramming functions of the devices in the trusted domain.  (Cucinotta, para. 0015)

As per claim 7, Innes in view of Raj and further in view of Cucinotta teaches claim 6.  
Innes in view of Raj does not teach wherein the security module is a trusted platform module.
However, Cucinotta teaches wherein the security module is a trusted platform module. ([Cucinotta, para. 0072] the private key used for the encryption/decryption process is injected into the cryptographic unit and stored in a trusted platform module, making the generic trusted cryptographic hardware unit a trusted platform module)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Innes in view of Raj with the teachings of Cucinotta to include wherein the security module is a trusted platform module.  One of ordinary skill in the art would have been motivated to make this modification because such a technique allows the cryptographic chip to be protected against sophisticated physical attacks to the hardware by utilizing tamper-proof manufacturing that’s a feature of trusted platform modules.  (Cucinotta, para. 0069)

As per claim 12, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 13, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 14, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.

As per claim 19, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 20, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 21, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Schory et al (US Pub. 2020/0396259) discloses a protected device that is contacted by a second and third unsecure device, which then has security policies applied to it to allow it to communicate with the protected device, but then partially blocking such communications.  
Woolward (US Pub. 2017/0374101) discloses a hypervisor which allows an untrusted VM to communicate with a host operating system and hardware based on enforcement point security policies.
Kitchen et al. (US Pub. 2018/0004377) discloses a device integration framework where a gateway devices enables a user device to exchange data using one or more rules of a security system so that the user device may be joined to the security system.  
Fu (US Pub. 2020/0074121) discloses disallowing cryptographic operations in the event that a component fails to satisfied the need of the user of the system.  
Hadley (US Pub. 2014/0140512) discloses comparators to enforce rules for disallowing a crypto process to complete encryption/description. 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493