DETAILED ACTION
This action is in response to new application filed 1/27/2022 titled “CLIENT AUTHENTICATION AND DATA MANAGEMENT SYSTEM”. Which is a continuation of 14/937315 which is a continuation of 12/514,22 now patent 8,468,591. Claims 1-20 were received for consideration and are under consideration.

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/27/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-58 of U.S. Patent No. 8,468,591. Although the claims at issue are not identical, they are not patentably distinct from each other because each and every element of claims 1, 14 and 18 of the present application is broader and therefore anticipated by the corresponding independent claim 1 of the '591 patent.
17/586721 Claim 1
8,468,591 claim 1
With respect to claim 1, a system for protecting a computing device from unauthorized use comprising: 
 
A system for protecting computing devices and associated secure data stored in at least one secure data storage component from unauthorized access by controlling whether such computing devices are permitted to boot their respective operating systems, the system comprising: 
(a) a computing device configured for communication over a network, said computing device having memory, storage, and input/output functions, said computing device capable of being connected to a network;
at least one protected computing device configured for communication through a network with a storage controller to access the secure data, the protected computing device having an operating system and a virtual machine, the virtual machine configured to be launched during boot of the protected computing device but prior to launch of the operating; 
(b) a virtual machine manager comprising a plurality of modules executable by a one or more systems in a distributed computing environment, wherein at least a portion of the virtual machine manager is executed on the computing device;
a virtual machine manager associated with the virtual machine, the virtual machine manager configured to be launched during boot of the protected computing device, the virtual machine manager configured to cause the authentication server to authenticate the protected computing device,
(c) a server configured communicatively coupled to said computing device and configured to authenticate said computing device by first receiving a request for authentication that is sent from the computing device and responding to the request for authentication by sending an authenticated indicator or a not authenticated indicator to the computing device;
an authentication server configured for authenticating the protected computing device for access to the secure data; and 
(d) the computing device further being configured to launch a virtual machine operating system only in response to receiving said authenticated indicator from the server, wherein prior to receiving said authenticated indicator said virtual machine operating system is not running and wherein once said virtual machine operating system is launched, said virtual machine operating system runs under the control of a particular virtual machine that is being managed by said virtual machine manager; and (e) the computing device further configured to prevent said virtual machine operating system from launching prior to receiving said authenticated indicator, whereby access to sensitive data present on the computing device cannot be accessed by the unauthenticated computing device.
the virtual machine manager configured to make a decision whether to allow the protected computing device to either launch or not launch the operating system based upon whether the protected computing device is either authenticated or not, respectively, by the authentication server, the virtual machine manager configured to control the protected computing device to either launch or not launch the operating system based upon the decision.


17/586721 Claim 14
8,468,591 claim 1
A system for protecting a computing device from unauthorized use comprising: 
A system for protecting computing devices and associated secure data stored in at least one secure data storage component from unauthorized access by controlling whether such computing devices are permitted to boot their respective operating systems, the system comprising: 
(a) a computing device configured for communication over a network, said computing device having a virtual machine manager configured to run on said computing device, said computing device having memory, storage, input/output functions, and network capabilities;
at least one protected computing device configured for communication through a network with a storage controller to access the secure data, the protected computing device having an operating system and a virtual machine, the virtual machine configured to be launched during boot of the protected computing device but prior to launch of the operating; 
(b) a virtual machine controlled by said virtual machine manager; (c) a virtual machine operating system configured to run in said virtual machine; and
a virtual machine manager associated with the virtual machine, the virtual machine manager configured to be launched during boot of the protected computing device, the virtual machine manager configured to cause the authentication server to authenticate the protected computing device,
(d) a server configured for authenticating said computing device, said virtual machine manager configured to communicate a request for authentication to said server prior to launching said virtual machine, said virtual machine manager configured to either launch said virtual machine and boot said virtual machine operating system, or to not launch said virtual machine, based upon a response from said server to said request for authentication.
an authentication server configured for authenticating the protected computing device for access to the secure data; and the virtual machine manager configured to make a decision whether to allow the protected computing device to either launch or not launch the operating system based upon whether the protected computing device is either authenticated or not, respectively, by the authentication server, the virtual machine manager configured to control the protected computing device to either launch or not launch the operating system based upon the decision.


17/586721 Claim 18
8,468,591 claim 1
18. A system comprising: 
A system for protecting computing devices and associated secure data stored in at least one secure data storage component from unauthorized access by controlling whether such computing devices are permitted to boot their respective operating systems, the system comprising:
(a) a computing device configured for communication over a network
at least one protected computing device configured for communication through a network with a storage controller to access the secure data, the protected computing device having an operating system and a virtual machine, the virtual machine configured to be launched during boot of the protected computing device but prior to launch of the operating; 
(b) a virtual machine manager configured to communicate over said network; (c) a virtual machine configured to communicate with and be controlled by said virtual machine manager;
a virtual machine manager associated with the virtual machine, the virtual machine manager configured to be launched during boot of the protected computing device, the virtual machine manager configured to cause the authentication server to authenticate the protected computing device,
(d) a server program configured for authenticating said computing device, said virtual machine manager configured to communicate a request for authentication to said server program prior to launching said virtual machine, and said virtual machine manager configured to either launch or not launch said virtual machine to run on said computing device based upon a response to said request for authentication.
an authentication server configured for authenticating the protected computing device for access to the secure data; and the virtual machine manager configured to make a decision whether to allow the protected computing device to either launch or not launch the operating system based upon whether the protected computing device is either authenticated or not, respectively, by the authentication server, the virtual machine manager configured to control the protected computing device to either launch or not launch the operating system based upon the decision.


Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1, 4-7, 13-15 and 18-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Goud et al (US 2005/0138370) in view of Miller et al (US 2005/0005096).
With respect to claim 1, Goud teaches a system for protecting a computing device from unauthorized use comprising: 
(a) a computing device configured for communication over a network, said computing device having memory, storage, and input/output functions, said computing device capable of being connected to a network (see Goud figure 1 and 4 element 110 and paragraph 0017 and 0046 i.e. Chassis 405 includes a chassis management module ("CMM") 420 and a switch box 425. Media tray 415 optionally rests on top of chassis 405 and provides processing blades 410 with shared resources such as I/O ports (e.g., serial port, parallel port, universal serial bus port), I/O devices (e.g., monitor, keyboard, mouse), a CD-ROM drive 430, a floppy drive 435, and the like. Switch box 425 provides processing blades 410 with switchable access to a network 440 (e.g., local area network, wide area network, Internet)); 
(b) a virtual machine manager comprising a plurality of modules executable by a one or more systems in a distributed computing environment, wherein at least a portion of the virtual machine manager is executed on the computing device (see Goud figure 4 element 115 and paragraph 0017 i.e. VMM 115 operates to coordinate execution of VM sessions 130. In one embodiment, VMM 115 is firmware layered on top of platform hardware 110. Platform hardware 110 is hardware of a computer system, such a personal computer ("PC"), a blade server, or the like and paragraph 0019 i.e. Each of VM sessions 130 behaves like a complete physical machine that can run its own OS. Usually, each VM session is given the illusion by VMM 115 that it is the only physical machine.…Each of VM sessions 130 supports a corresponding one of OS's 140 and firmware 145. Each OS 140 can be different, as illustrated, or a separate instance of the same OS);
(d) the computing device further being configured to launch a virtual machine operating system only in response to receiving said authenticated indicator, wherein prior to receiving said authenticated indicator said virtual machine operating system is not running and wherein once said virtual machine operating system is launched, said virtual machine operating system runs under the control of a particular virtual machine that is being managed by said virtual machine manager (see paragraph 0037 states If the SVMM is enabled, process 200 continues to a process block 245. In process block 245, it is determined whether to trust an OS prior to loading the OS. In one embodiment, trust is established by executing a hash function on a portion of a storage disk containing the pre-loaded OS. In one embodiment, if the hash value matches a whitelist, in decision block 250 trust has been established and the OS may be loaded into the VM session in a process block 255).
(e) the computing device further configured to prevent said virtual machine operating system from launching prior to receiving said authenticated indicator, whereby access to sensitive data present on the computing device cannot be accessed by the unauthenticated computing device (see paragraph 0037 states In process block 260, VMM 115 has determined it cannot trust the OS and therefore does not load the untrusted OS into the established VM session. Rather, VMM 115 terminates the established VM session and generates a log entry to document the untrusted OS.
Goud does not teach (c) a server configured communicatively coupled to said computing device and configured to authenticate said computing device by first receiving a request for authentication that is sent from the computing device and responding to the request for authentication by sending an authenticated indicator or a not authenticated indicator to the computing device.
Miller teaches (c) a server configured communicatively coupled to said computing device and configured to authenticate said computing device by first receiving a request for authentication that is sent from the computing device and responding to the request for authentication by sending an authenticated indicator or a not authenticated indicator to the computing device (see Miller figure 2 steps 204-208 and 220 and paragraph 0031 at 204 the client 106 requests via the network 100 that the server 104 transfer the boot files 102 to the client 106 and at 206 the client presents its credentials by sending via the network the installed client certificate of authenticity 112. At 208, the server 104 authenticates the client by the received client certificate of authenticity 112. If the client is not authentic (e.g., if the client certificate is invalid, expired or revoked), the process ends) and paragraph 0034 i.e. Next, at 218 the authenticated client authenticates the transferred, signed boot files by confirming that the boot files have a signature corresponding to the client certificate and/or the server certificate. In particular, the transferred boot files should include a signature corresponding to the client certificate of authenticity from the server and the client verifies that the signature corresponds to its certificate of authenticity (see 124 of FIG. 2). If the boot files are not authenticated (e.g., if the boot files are incorrectly signed, invalid, expired or revoked), the process ends. At 220, the authenticated boot files are executed by the client to create the operating system). It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have placed a pre-installation environment on a client that can validate the integrity of the client, server, and boot file to provides a more secure and robust way to boot clients (see Miller paragraph 0003). Therefore one would have been motivated to have used an authentication server to authenticate the client before booting the operating system. 

With respect to claim 4 Goud teaches, the system of Claim 1, wherein said computing device is selected from the group consisting of a server computer, a desktop computer, a personal computer, a notebook computer, a laptop computer, a mobile computing device, a personal digital assistant, a hand-held computer, a tablet computer, a cellular telephone, and a satellite telephone (see Goud figure 1 and 4 element 110 and paragraph 0015 i.e. Platform hardware 110 is hardware of a computer system, such a personal computer ("PC"), a blade server, or the like).

With respect to claim 5 Goud teaches, the system of Claim 1, wherein said network is selected from the group consisting of a wireless network, a wired network, a broadband network, a cellular telephone network, a satellite telephone network, a Wi-Fi network, a WiMax network, a local area network (LAN), a wide area network (WAN), the Internet, and a virtual network (see Goud figure 4 and paragraph 0046 i.e. Switch box 425 provides processing blades 410 with switchable access to a network 440 (e.g., local area network, wide area network, Internet)).

With respect to claim 6 Goud teaches the system of Claim 1, but does not disclose wherein said server is remote from said computing device and said computing device communicates with said server over said network. 
Miller teaches wherein said server is remote from said computing device and said computing device communicates with said server over said network (see figure 1 and paragraph 0031-0032 i.e. if the client certificate 112 matches a pre-existing list of authentic clients which the server 104 maintains or has access so that the client 106 is authentic to the server 104, at 210 the server 104 sends via the network 100 a server certificate of authenticity 118 to the client 106 in response to authenticating by the server of the client). 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have placed a pre-installation environment on a client that can validate the integrity of the client, server, and boot file to provides a more secure and robust way to boot clients (see Miller paragraph 0003). Therefore one would have been motivated to have used an authentication server to authenticate the client before booting the operating system.

With respect to claim 7 Goud teaches the system of Claim 1 but does not disclose wherein said server is an authentication server and said request for authentication comprises information provided by a user. 
Miller teaches wherein said server is an authentication server and said request for authentication comprises information provided by a user (see figure 1 and paragraph 0031 i.e. Initially at 202, a client certificate of authenticity 112 is installed on the client 106. This installation (as well as any other communication between the client and the server) can be accomplished manually or via the network 100). 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have placed a pre-installation environment on a client that can validate the integrity of the client, server, and boot file to provides a more secure and robust way to boot clients (see Miller paragraph 0003). Therefore one would have been motivated to have used an authentication server to authenticate the client before booting the operating system.

With respect to claim 13 Goud teaches, the system of Claim 1 wherein said virtual machine operating system is limited in its ability to access said memory, storage, input/output functions, or network capabilities of said computing device according to a set of policies (see Goud paragraph 0021-0023 i.e. VMM 115 inserts an additional privilege level below OS's 140. For example, Intel x86 processors define four privilege levels to protect an OS and OS kernel drivers. These privilege levels are referred to as "rings," which range from 0 to 3. Windows.TM. 2000 uses only two of these four privilege levels, granting applications/drivers executing in the kernel mode ring 0 privileges and user applications executing in the user mode ring 3 privileges. Ring 0 grants access to all system resources, while ring 3 grants limited access to guard against inadvertent or malicious writes. Since OS's 140 are supported within VM sessions 130, OS's 140 are unaware that VMM 115 has been inserted beneath them. The hardware support for VMs 130, known as virtual machine extensions ("VMX"), insert an additional four privilege levels (or rings) below the four rings currently available in x86 processors).

With respect to claim 14 Goud teaches, a system for protecting a computing device from unauthorized use comprising: 
(a) a computing device configured for communication over a network, said computing device having a virtual machine manager configured to run on said computing device, said computing device having memory, storage, input/output functions, and network capabilities, wherein the virtual machine manager comprises a plurality of modules executable by a plurality of computing devices in a distributed computing environment (see Goud figure 1 and 4 element 110 and paragraph 0017 and 0046 i.e. Chassis 405 includes a chassis management module ("CMM") 420 and a switch box 425. Media tray 415 optionally rests on top of chassis 405 and provides processing blades 410 with shared resources such as I/O ports (e.g., serial port, parallel port, universal serial bus port), I/O devices (e.g., monitor, keyboard, mouse), a CD-ROM drive 430, a floppy drive 435, and the like. Switch box 425 provides processing blades 410 with switchable access to a network 440 (e.g., local area network, wide area network, Internet)); 
(b) a virtual machine controlled by said virtual machine manager (see Goud figure 4 element 115 and paragraph 0017 i.e. VMM 115 operates to coordinate execution of VM sessions 130. In one embodiment, VMM 115 is firmware layered on top of platform hardware 110. Platform hardware 110 is hardware of a computer system, such a personal computer ("PC"), a blade server, or the like);
(c) a virtual machine operating system configured to run in said virtual machine; (see Goud figure 1 element 140 and paragraph 0019 i.e. Each of VM sessions 130 behaves like a complete physical machine that can run its own OS. Usually, each VM session is given the illusion by VMM 115 that it is the only physical machine.…Each of VM sessions 130 supports a corresponding one of OS's 140 and firmware 145. Each OS 140 can be different, as illustrated, or a separate instance of the same OS).
Groud also teaches launching a virtual machine operating system after authentication (see paragraph 0037 states If the SVMM is enabled, process 200 continues to a process block 245. In process block 245, it is determined whether to trust an OS prior to loading the OS. In one embodiment, trust is established by executing a hash function on a portion of a storage disk containing the pre-loaded OS. In one embodiment, if the hash value matches a whitelist, in decision block 250 trust has been established and the OS may be loaded into the VM session in a process block 255).
Goud does not teach (d) a server configured for authenticating said computing device, said server configured to receive a request for authentication prior to initiating a launching of said operating system, said operating system configured to either launch or not launched based upon a response from said server to said request for authentication.
Miller teaches (d) a server configured for authenticating said computing device, said server configured to receive a request for authentication prior to initiating a launching of said virtual machine operating system, said virtual machine operating system configured to either launch or not launched based upon a response from said server to said request for authentication (see Miller figure 2 steps 204-208 and 220 and paragraph 0031 at 204 the client 106 requests via the network 100 that the server 104 transfer the boot files 102 to the client 106 and at 206 the client presents its credentials by sending via the network the installed client certificate of authenticity 112. At 208, the server 104 authenticates the client by the received client certificate of authenticity 112. If the client is not authentic (e.g., if the client certificate is invalid, expired or revoked), the process ends) and paragraph 0034 i.e. Next, at 218 the authenticated client authenticates the transferred, signed boot files by confirming that the boot files have a signature corresponding to the client certificate and/or the server certificate. In particular, the transferred boot files should include a signature corresponding to the client certificate of authenticity from the server and the client verifies that the signature corresponds to its certificate of authenticity (see 124 of FIG. 2). If the boot files are not authenticated (e.g., if the boot files are incorrectly signed, invalid, expired or revoked), the process ends. At 220, the authenticated boot files are executed by the client to create the operating system). 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have placed a pre-installation environment on a client that can validate the integrity of the client, server, and boot file to provides a more secure and robust way to boot clients (see Miller paragraph 0003). Therefore one would have been motivated to have used an authentication server to authenticate the client before booting the operating system. 

With respect to claim 15 Goud teaches, the system of Claim 14, wherein said virtual machine operating system is limited in its ability to access said memory, storage, input/output functions, or network capabilities of said computing device based upon said response to said request for authentication (see Goud figure 1 and 4 element 110 and paragraph 0017 and 0046 i.e. Chassis 405 includes a chassis management module ("CMM") 420 and a switch box 425. Media tray 415 optionally rests on top of chassis 405 and provides processing blades 410 with shared resources such as I/O ports (e.g., serial port, parallel port, universal serial bus port), I/O devices (e.g., monitor, keyboard, mouse), a CD-ROM drive 430, a floppy drive 435, and the like. Switch box 425 provides processing blades 410 with switchable access to a network 440 (e.g., local area network, wide area network, Internet)). 

With respect to claim 18 Goud teaches, a system comprising: 
(a) a computing device configured for communication over a network (see Goud figure 1 and 4 element 110 and paragraph 0017 and 0046 i.e. Chassis 405 includes a chassis management module ("CMM") 420 and a switch box 425. Media tray 415 optionally rests on top of chassis 405 and provides processing blades 410 with shared resources such as I/O ports (e.g., serial port, parallel port, universal serial bus port), I/O devices (e.g., monitor, keyboard, mouse), a CD-ROM drive 430, a floppy drive 435, and the like. Switch box 425 provides processing blades 410 with switchable access to a network 440 (e.g., local area network, wide area network, Internet)); 
(b) a virtual machine manager configured to communicate over said network; wherein the virtual machine manager comprises a plurality of modules executable by a plurality of computing device in a distributed computer environment (see Goud figure 4 element 115 and paragraph 0017 i.e. VMM 115 operates to coordinate execution of VM sessions 130. In one embodiment, VMM 115 is firmware layered on top of platform hardware 110. Platform hardware 110 is hardware of a computer system, such a personal computer ("PC"), a blade server, or the like.); 
(c) a virtual machine configured to communicate with and be controlled by said manager a virtual machine (see Goud figure 1 element 140 and paragraph 0019 i.e. Each of VM sessions 130 behaves like a complete physical machine that can run its own OS. Usually, each VM session is given the illusion by VMM 115 that it is the only physical machine.…Each of VM sessions 130 supports a corresponding one of OS's 140 and firmware 145. Each OS 140 can be different, as illustrated, or a separate instance of the same OS); 
Groud also teaches launching a virtual machine operating system after authentication (see paragraph 0037 states If the SVMM is enabled, process 200 continues to a process block 245. In process block 245, it is determined whether to trust an OS prior to loading the OS. In one embodiment, trust is established by executing a hash function on a portion of a storage disk containing the pre-loaded OS. In one embodiment, if the hash value matches a whitelist, in decision block 250 trust has been established and the OS may be loaded into the VM session in a process block 255).
Goud does not teach (d) a server program configured for authenticating said computing device, said server program configured to receive a request for authentication prior to initiating a launching of said operating system, said virtual machine operating system configured to either launch or not launched based upon a response from said server to said request for authentication, wherein the virtual machine manager is configured to communicate with the server program as part of the authentication without using the virtual machine operating system. 
Miller teaches (d) a server program configured for authenticating said computing device, said server program configured to receive a request for authentication prior to initiating a launching of said operating system, said virtual machine operating system configured to either launch or not launched based upon a response from said server to said request for authentication, wherein the virtual machine manager is configured to communicate with the server program as part of the authentication without using the virtual machine operating system (see Miller figure 2 steps 204-208 and 220 and paragraph 0031 at 204 the client 106 requests via the network 100 that the server 104 transfer the boot files 102 to the client 106 and at 206 the client presents its credentials by sending via the network the installed client certificate of authenticity 112. At 208, the server 104 authenticates the client by the received client certificate of authenticity 112. If the client is not authentic (e.g., if the client certificate is invalid, expired or revoked), the process ends) and paragraph 0034 i.e. Next, at 218 the authenticated client authenticates the transferred, signed boot files by confirming that the boot files have a signature corresponding to the client certificate and/or the server certificate. In particular, the transferred boot files should include a signature corresponding to the client certificate of authenticity from the server and the client verifies that the signature corresponds to its certificate of authenticity (see 124 of FIG. 2). If the boot files are not authenticated (e.g., if the boot files are incorrectly signed, invalid, expired or revoked), the process ends. At 220, the authenticated boot files are executed by the client to create the operating system). 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have placed a pre-installation environment on a client that can validate the integrity of the client, server, and boot file to provides a more secure and robust way to boot clients (see Miller paragraph 0003). Therefore one would have been motivated to have used an authentication server to authenticate the client before booting the operating system. 

With respect to claims 19, Goud teaches the system of Claim 18, wherein said server program, said virtual machine manager, and said virtual machine execute on said computing device (see figure 1, 2 and paragraph 0017 and 0037-0038).

With respect to claims 20 Goud teaches the system of Claim 18, but does not disclose wherein said server program executes in a server computer separate from said computing device. Miller teaches wherein said server program executes in a server computer separate from said computing device (see figure 1 and paragraph 0031-0032 i.e. if the client certificate 112 matches a pre-existing list of authentic clients which the server 104 maintains or has access so that the client 106 is authentic to the server 104, at 210 the server 104 sends via the network 100 a server certificate of authenticity 118 to the client 106 in response to authenticating by the server of the client). It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have placed a pre-installation environment on a client that can validate the integrity of the client, server, and boot file to provides a more secure and robust way to boot clients (see Miller paragraph 0003). Therefore one would have been motivated to have used an authentication server to authenticate the client before booting the operating system.

Claims 2, 3, 8, 9, 16 and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable over Goud et al (US 2005/0138370) in view of Miller et al (US 2005/0005096) in further view of Wookey et al (2007/0171921).
With respect to claim 2 Goud teaches the system of Claim 1, but does not teach wherein the computing device boots a host operating system prior to initiating a launching of said virtual machine and prior to initiating a launching of said virtual machine operating system.  
Wookey teaches wherein the computing device boots a host operating system prior to initiating a launching of said virtual machine and prior to initiating a launching of said virtual machine operating system (see Wookey paragraph 0149 i.e. In some embodiments, a hypervisor executes on a machine executing an operating system. In one of these embodiments, a machine executing an operating system and a hypervisor may be said to have a host operating system (the operating system executing on the machine), and a guest operating system (an operating system executing within a computing resource partition provided by the hypervisor)). It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have combines the teachings of Goud with those of Wookey to provide a system with the ability to have run the virtual machine (VM) in a hypervisor architecture. Since a hypervisor architecture gives the ability to run the virtual machine in a hypervisor executes on a machine executing an operating system or directly with hardware on a machine, instead of executing on a host operating system (See Wookey paragraph 0149). Therefore one would have been motivated to have combines the teachings of Goud with those of Wookey to provide a hypervisor that executes on a machine executing an operating system.

 	With respect to claim 3 Goud teaches the system of Claim 1, but does not disclose wherein said virtual machine is launched during the boot of said computing device to run on said computing device without an underlying host operating system. 
Wookey teaches wherein said virtual machine is launched during the boot of said computing device to run on said computing device without an underlying host operating system (see Wookey paragraph 0149 i.e. In other embodiments, a hypervisor interacts directly with hardware on a machine, instead of executing on a host operating system. In one of these embodiments, the hypervisor may be said to be executing on "bare metal," referring to the hardware comprising the machine). It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have combines the teachings of Goud with those of Wookey to provide a system with the ability to have run the virtual machine (VM) in a hypervisor architecture. Since in a hypervisor architecture, there may not be an underlying host general purpose operating system (See Wookey paragraph 0149). Therefore one would have been motivated to have combines the teachings of Goud with those of Wookey to provide a hypervisor interacts directly with hardware on a machine, instead of executing on a host operating system.

With respect to claim 8 Goud teaches, the system of Claim 1, but does not disclose wherein said virtual machine manager comprises a hypervisor. 
Wookey teaches wherein said virtual machine manager comprises a hypervisor (see Wookey paragraph 0149 i.e. a hypervisor executes on a machine executing an operating system. In one of these embodiments, a machine executing an operating system and a hypervisor may be said to have a host operating system (the operating system executing on the machine), and a guest operating system (an operating system executing within a computing resource partition provided by the hypervisor). In other embodiments, a hypervisor interacts directly with hardware on a machine, instead of executing on a host operating system). It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have combines the teachings of Goud with those of Wookey to provide a system with the ability to have run the virtual machine (VM) in a hypervisor architecture. Since a hypervisor architecture gives the ability to run the virtual machine in a hypervisor executes on a machine executing an operating system or directly with hardware on a machine, instead of executing on a host operating system (See Wookey paragraph 0149). Therefore one would have been motivated to have combines the teachings of Goud with those of Wookey to provide a hypervisor that executes on a machine executing an operating system

With respect to claim 9 Goud teaches, the system of Claim 8, wherein said virtual machine manager further comprises a network communications stack (see Goud paragraph 0017 and 0046)
	
With respect to claim 16, Goud teaches the system of Claim 14, but does not disclose wherein the computing device boots a host operating system prior to initiating a launching of said virtual machine and prior to initiating a launching of said virtual machine operating system.  
Wookey teaches wherein the computing device boots a host operating system prior to initiating a launching of said virtual machine and prior to initiating a launching of said virtual machine operating system (see Wookey paragraph 0149 i.e. In some embodiments, a hypervisor executes on a machine executing an operating system. In one of these embodiments, a machine executing an operating system and a hypervisor may be said to have a host operating system (the operating system executing on the machine), and a guest operating system (an operating system executing within a computing resource partition provided by the hypervisor)). It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have combines the teachings of Goud with those of Wookey to provide a system with the ability to have run the virtual machine (VM) in a hypervisor architecture. Since a hypervisor architecture gives the ability to run the virtual machine in a hypervisor executes on a machine executing an operating system or directly with hardware on a machine, instead of executing on a host operating system (See Wookey paragraph 0149). Therefore one would have been motivated to have combines the teachings of Goud with those of Wookey to provide a hypervisor that executes on a machine executing an operating system.

With respect to claim 17 Goud teaches the system of Claim 14, but does not disclose wherein said virtual machine is launched during the boot of said computing device to run on said computing device without an underlying host operating system. 
Wookey teaches wherein said virtual machine is launched during the boot of said computing device to run on said computing device without an underlying host operating system (see Wookey). It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have combines the teachings of Goud with those of Wookey to provide a system with the ability to have run the virtual machine (VM) in a hypervisor architecture. Since in a hypervisor architecture, there may not be an underlying host general purpose operating system (See Wookey paragraph 0149). Therefore one would have been motivated to have combines the teachings of Goud with those of Wookey to provide a hypervisor interacts directly with hardware on a machine, instead of executing on a host operating system.

Claims 10-12 are rejected under 35 U.S.C. 103(a) as being unpatentable over "Goud et al (US 2005/0138370) in view of Miller et al (US 2005/0005096) in further view of "SafeBoot 4 Device Encryption Administrator Guide" version 4.2.7.11 B4750
With respect to claim 10 Goud teaches the system of Claim 1, but does not disclose comprising a protected partition accessible to said computing device. SafeBoot teaches, the system of Claim 1, comprising a protected partition accessible to said computing device (See SafeBoot 1.3.1 Protection i.e. Once the user has entered the correct authentication information, the SafeBoot operating system starts the crypt driver in memory, and boots the protected machine's original operating system. From this point on the machine will look and behave as if SafeBoot was not installed. The security is invisible to the user, and because the only readable data on the hard disk is the SafeBoot operating system, and the encryption key for the hard drive is itself protected with the user's authentication key). It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to have used SafeBoot as a way to protect a computer from operating without authenticating the user by encrypting the hard drive partition with a user’s authentication key so that the only way to access the partition is from an authorized user’s authentication key that decrypts the partition encryption key (see Safeboot sections 1.3.1 and 12.2). Therefore one would have been motivated to have used SafeBoot to protect the partition.

With respect to claim 11 Goud teaches the system of Claim 10, but does not disclose wherein said protected partition is encrypted. 
SafeBoot teaches wherein said protected partition is encrypted (See SafeBoot 1.3.1 Protection i.e. Once the user has entered the correct authentication information, the SafeBoot operating system starts the crypt driver in memory, and boots the protected machine's original operating system. From this point on the machine will look and behave as if SafeBoot was not installed. The security is invisible to the user, and because the only readable data on the hard disk is the SafeBoot operating system, and the encryption key for the hard drive is itself protected with the user's authentication key). 
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to have used SafeBoot as a way to protect a computer from operating without authenticating the user by encrypting the hard drive partition with a user’s authentication key so that the only way to access the partition is from an authorized user’s authentication key that decrypts the partition encryption key (see Safeboot sections 1.3.1 and 12.2). Therefore one would have been motivated to have used SafeBoot to protect the partition.

With respect to claim 12 Goud teaches the system of Claim 11, but does not disclose wherein said protected partition is either decrypted or not decrypted based on said response to said request for authentication. 
SafeBoot teaches wherein said protected partition is either decrypted or not decrypted based on said response to said request for authentication (See SafeBoot 1.3.1 Protection i.e. Once the user has entered the correct authentication information, the SafeBoot operating system starts the crypt driver in memory, and boots the protected machine's original operating system. From this point on the machine will look and behave as if SafeBoot was not installed. The security is invisible to the user, and because the only readable data on the hard disk is the SafeBoot operating system, and the encryption key for the hard drive is itself protected with the user's authentication key). 
It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to have used SafeBoot as a way to protect a computer from operating without authenticating the user by encrypting the hard drive partition with a user’s authentication key so that the only way to access the partition is from an authorized user’s authentication key that decrypts the partition encryption key (see Safeboot sections 1.3.1 and 12.2). Therefore one would have been motivated to have used SafeBoot to protect the partition.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        
/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492