SECURE ERASURE AND REPLACEMENT OF VIRTUAL MACHINE POOLS

§101 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status 1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 2. Claims 1–19 are presented for examination in a PCT international application filed on 03/09/2022 (PCT/EP2022/056028), and entered the national stage on 08/25/2023. Priority 3. Acknowledgment is made of applicant’s claim for foreign priority based on an application filed in Great Britain (GB) on Mar. 15, 2021 (2103557.1). Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55. Objections 4. The drawings are objected to under 37 CFR 1.83(a) because Figure 1 in the drawings does not contain any labels or descriptions pertaining to the specification or the claimed subject matter. Any structural detail that is essential for a proper understanding of the disclosed invention should be shown in the drawing. MPEP § 608.02(d). Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. New corrected drawings in compliance with 37 CFR 1.121(d) are required in this application because they fail to show any of the features as described in the specification or the claimed subject matter. Applicant is advised to employ the services of a competent patent draftsperson outside the Office, as the U.S. Patent and Trademark Office no longer prepares new drawings. The corrected drawings are required in reply to the Office action to avoid abandonment of the application. The requirement for corrected drawings will not be held in abeyance. Claim Interpretation Under 35 USC § 112 The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 5. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f): (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f), is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f), is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f), except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f), except as otherwise indicated in an Office action. 6. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f), because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: a. “data eraser apparatus,” recited in claim 18; and b. “processing resource,” recited in claim 19, each configured to or capable of being configured to perform respective claimed functions. Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f), it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f), applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f). Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. A. 7. Claim limitations: a. “data eraser apparatus,” recited in claim 18; and b. “processing resource,” recited in claim 19, invoke 35 U.S.C. 112(f). However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. In this instance, and as filed, the disclosure is either devoid of any STRUCTURE that performs the function in the claims, (Here, the disclosure simply does not describe or limit the claimed “data eraser apparatus” or “processing resource” to a known structure or class of structure (e.g. a CPU) capable of performing the claimed function (method) referred in claim 1), or (to the extent that a structure is sufficiently disclosed) that the structure described in the specification does not perform the entire function in the claim. 8. Therefore, claims 18 and 19 are indefinite and rejected under 35 U.S.C. 112(b). Applicant may: (a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f); (b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)). If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: (a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181. B. 9. Claims 12–16 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention. a. As to claims 12–16, they contain the trademark/trade name VMware Horizon and VMware Orchestrator. Where a trademark or trade name is used in a claim as a limitation to identify or describe a particular material or product, the claim does not comply with the requirements of 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph. See Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982). The claim scope is uncertain since the trademark or trade name cannot be used properly to identify any particular material or product. A trademark or trade name is used to identify a source of goods, and not the goods themselves. Thus, a trademark or trade name does not identify or describe the goods associated with the trademark or trade name. In the present case, the trademark/trade names are used to identify/describe one or more commercial product lines, product families, and/or categories by a third-party (VMware) and, accordingly, the identification/description is indefinite. b. Appropriate corrections are therefore required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 10. Claims 17 is rejected under 35 U.S.C. 101 because it is directed to non-statutory subject matter and thus do not fall within at least one of the four categories of patent eligible subject matter. 11. As to claim 17, it is directed to a “A computer program which, when executed by a processing resource …” which is software per se. Software per se does not have a physical or tangible form and thus does not fall within any of the four categories of patent eligible subject matter. Applicant is advised to amend this portion of the claim to recite a “A non-transitory computer readable storage media storing instructions which, when executed by a processing resource of a data eraser apparatus ...” to overcome the 101 rejection. Examiner’s Remarks 12. Examiner refers to and explicitly cites particular pages, sections, figures, paragraphs or columns and lines in the references as applied to Applicant’s claims to the extent practicable to streamline prosecution. Although the cited portions of the references are representative of the best teachings in the art and are applied to meet the specific limitations of the claims, other uncited but related teachings of the references may be equally applicable as well. It is respectfully requested that, in preparing responses to the rejections, the Applicant fully considers not only the cited portions of the references, but also the references in their entirety, as potentially teaching, suggesting or rendering obvious all or one or more aspects of the claimed invention. Abbreviations 13. Where appropriate, the following abbreviations will be used when referencing Applicant’s submissions and specific teachings of the reference(s): i. figure / figures: Fig. / Figs. ii. column / columns: Col. / Cols. iii. page / pages: p. / pp. References Cited 14. (A) Roth, US 9,524,389 B1. (B) Keagy et al., 8,352,608 B1 (“Keagy”). (C) Munjal et al., US 2018/0083854 A1 (“Munjal”). (D) Moran et al., US 10,691,547 B1 (“Moran”). (E) Mahapatra et al., US 11,422,680 B1 (“Mahapatra”). (F) Fenton, “Using the VMware Horizon HTML5 Administrative Console -- Virtualization Review” dated 03/11/2019 (virtualizationreview.com/articles/2019/03/11/using-the-vmware-horizon-html5-administrative-console.aspx; Wayback Machine archive date: 09/30/2020). Notice re prior art available under both pre-AIA and AIA 15. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. A. 16. Claims 1–4, 6–10, and 17–19 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Roth in view of (B) Keagy. See “References Cited” section, above, for full citations of references. 17. Regarding claim 1, (A) Roth teaches/suggests the invention substantially as claimed, including: “A method for … replacing a pool of virtual machines, wherein the virtual machines of the pool of virtual machines are implemented on a common virtualization layer and are managed by a common virtual machine management application, and wherein the method comprises:” (Col. 6, lines 49–55: the scaling service is configured to terminate and re-launch virtual machines for security purposes. For example, each virtual machine of a set of virtual machines may be configured to expire after running for one hour, whereupon the virtual machine may be de-provisioned and a new virtual machine instantiated in its place; Col. 6, lines 17–23: launching virtual machines, executing the virtual machines for a period of time, terminating the virtual machines, and creating new virtual machines to replace the terminated virtual machines based on a schedule, event trigger, or other scheme; Col. 18, lines 30–35: to run in environments of virtual machines having bounded lifespans (i.e., virtual machine instances which have a fixed lifecycle and are terminated upon reaching the end of their lifecycle ), which, upon reaching the end of their lifespans, are replaced by new virtual machines also having bounded lifespans; Col. 5, lines 37–40: The virtual machines on each host physical computing machine may be managed through a virtualization layer, such as via a hypervisor; Col. 10, lines 58–62: The virtualization layer may be any device, software or firmware used for providing a virtual computer platform for the virtual machines 277 and configured to manage the execution of the virtual machines 277 on the host computing system 279A; Col. 8, lines 52–55: The previously requested virtual machines 277 may be members of an auto-scaling group allocated to the customer; Fig. 2 and Col. 9, lines 16–30: example data center 270 includes a number of physical host computing systems (host computing systems 275A-75B a scaling service manager 280 of the **scaling service**. In this environment 200, the host computing systems 275A-75B each provide multiple virtual machines 277 and have a virtual machine manager 275 to manage those virtual machines …. Each of the virtual machines provided by a host computing system may be used as a distinct computing node for the scaling service, such as to have a first virtual machine computing node on a host computing system be part of a first computing node group for a first user); “using the virtual machine management application to create a replacement pool of virtual machines on the common virtualization layer, wherein the replacement pool of virtual machines has the same configuration and/or settings as the pool of virtual machines” (Col. 6, lines 17–23: launching virtual machines, executing the virtual machines for a period of time, terminating the virtual machines, and creating new virtual machines to replace the terminated virtual machines based on a schedule, event trigger, or other scheme; Col. 18, lines 30–35: to run in environments of virtual machines having bounded lifespans (i.e., virtual machine instances which have a fixed lifecycle and are terminated upon reaching the end of their lifecycle ), which, upon reaching the end of their lifespans, are replaced by new virtual machines also having bounded lifespans; Col. 13, lines 3–18: The base image 310 may be a snapshot of a state of a computer system at an initial point in time (e.g., at a point in time early in the lifecycle of the virtual machine, such as upon completion of a bootup process, upon an initial attempt to connect to a certain network location, etc.). For example, the BASE IMAGE may include an installation of an operating system and software for performing tasks of the customer, and the base image may further be configured with various settings, such as settings for connecting to a particular network. The base image 310 may be configured to be instantiated into one or more virtual machines ( a scaling service), such as the scaling service described in conjunction with FIG. 2, may utilize the base image 310 to instantiate the finite instances (i.e., virtual machines with bounded lifetimes) when it provisions or de-provisions its finite instances); “using the virtual machine management application to delete the pool of virtual machines” (Col. 18, lines 35–48: after the virtual machine is terminated and de-provisioned in 614, a new virtual machine having a bounded lifespan may be automatically instantiated from the same base image as the previous virtual machine and the system performing the process 600 may repeat the process 600 for the new virtual machine. Additionally in such environments, the new virtual machine may be launched prior to or in parallel (i.e., concurrence) with the other operations of 614. Note that one or more of the operations performed in 602-14 may be 45 performed in various orders and combinations, including in parallel). Roth does not teach “securely erasing” and “using an erasure application to erase each virtual machine of the pool of virtual machines, wherein the erasure application is executable independently of the virtual machine management application.” (B) Keagy, in the context of Roth’s teachings, however teaches or suggests: “securely erasing” and “using an erasure application to erase each virtual machine of the pool of virtual machines, wherein the erasure application is executable independently of the virtual machine management application” (Col. 49, line 59 to Col. 50, line 21: E. Secure Deletion of Virtual Machines provide automated secure deletion for a virtual server that is removed from the node's resources. For instance, rather than simply reallocating the resources to a different virtual machine, the utility management module of some embodiments writes random data to the file system (i.e., overwrites the values stored on a physical storage) such that subsequent configurations on the file system will be unable to extract any of the previously stored data. Alternatively, some embodiments perform the secure deletion by “zeroing out” the bits of the previously allocated file system … FIG. 28 presents a process 2800 for securely deleting a virtual machine automatically using a utility management module of some embodiments; Col. 35, lines 35–45: the software processes executed by the utility management module are defined by a set of scripts … hypervisor management module directs each utility management module to execute one or more of the scripts at specified instances in time through the various control provisioning messages; See Roth, Col. 18, lines 35–48, as applied above: the new virtual machine may be launched prior to or in parallel (i.e., concurrence) with the other operations of 614. Note that one or more of the operations performed in 602-14 may be 45 performed in various orders and combinations, including in parallel). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of (B) Keagy with those of (A) Roth to provide for the secure deletion (erasure) of virtual machine in conjunction with resource de-provisioning, re-allocation, and/or removing images or other virtual machine files from persistent storage. The motivation or advantage to do so is to protect the confidentiality of personal or sensitive user data or information. 18. Regarding claim 2, Roth and Keagy teach or suggest: “wherein using the erasure application to erase each virtual machine of the pool of virtual machines comprises erasing at least one of the following entities associated with each virtual machine of the pool of virtual machines: one or more guest operating systems; one or more system files; one or more applications; or stored data” (Roth, Col. 13, lines 3–18: The base image may include an installation of an operating system and software for performing tasks of the customer, and the base image may further be configured with various settings, such as settings for connecting to a particular network. The base image 310 may be configured to be instantiated into one or more virtual machines; Keagy, Col. 49, line 59 to Col. 50, line 21: provide automated secure deletion for a virtual server that is removed from the node's resources. For instance, rather than simply reallocating the resources to a different virtual machine, the utility management module of some embodiments writes random data to the file system (i.e., overwrites the values stored on a physical storage) such that subsequent configurations on the file system will be unable to extract any of the previously stored data. Alternatively, some embodiments perform the secure deletion by “zeroing out” the bits of the previously allocated file system … To perform the secure deletion, the process writes sets of random data to the disk storage (i.e., block device) ensuring that none of the customer's data remains on the disk storage before the disk storage is allocated to another customer; Col. 15, lines 7–28: the file system of the virtual machine is created to store all configuration files for the virtual machine operating system, application programs, and user data …. The file system thus represents a portion of a block device of a node that is set aside to store data and configuration files of a virtual machine). 19. Regarding claim 3, Roth and Keagy teach or suggest: “wherein using the erasure application to erase each virtual machine of the pool of virtual machines comprises erasing stored data associated with each virtual machine of the pool of virtual machines and, in addition, erasing at least one of the following entities: one or more guest operating systems associated with each virtual machine of the pool of virtual machines, one or more system files associated with each virtual machine of the pool of virtual machines, or one or more applications associated with each virtual machine of the pool of virtual machines” (Roth, Col. 13, lines 3–18; and Keagy, Col. 49, line 59 to Col. 50, line 21; Col. 15, lines 7–28, as applied in rejecting claim 2 above). 20. Regarding claim 4, Keagy teaches or suggests: “wherein using the erasure application to erase each virtual machine of the pool of virtual machines comprises completely erasing each virtual machine of the pool of virtual machines” (Col. 49, line 59 to Col. 50, line 21: the utility management module of some embodiments writes random data to the file system (i.e., overwrites the values stored on a physical storage) such that subsequent configurations on the file system will be unable to extract any of the previously stored data. Alternatively, some embodiments perform the secure deletion by “zeroing out” the bits of the previously allocated file system). 21. Regarding claim 6, Roth teaches or suggests: “wherein using the virtual machine management application to create the replacement pool of virtual machines on the common virtualization layer comprises using the virtual machine management application to DUPLICATE the pool of virtual machines on the common virtualization layer” (Col. 13, lines 3–18: The base image 310 may be a snapshot of a state of a computer system at an initial point in time (e.g., at a point in time early in the lifecycle of the virtual machine, such as upon completion of a bootup process, upon an initial attempt to connect to a certain network location, etc.). For example, the BASE IMAGE may include an installation of an operating system and software for performing tasks of the customer, and the base image may further be configured with various settings, such as settings for connecting to a particular network. The base image 310 may be configured to be instantiated into one or more virtual machines ( a scaling service), such as the scaling service described in conjunction with FIG. 2, may utilize the base image 310 to instantiate the finite instances (i.e., virtual machines with bounded lifetimes) when it provisions or de-provisions its finite instances); Col. 18, lines 35–48: after the virtual machine is terminated and de-provisioned in 614, a new virtual machine having a bounded lifespan may be automatically instantiated from the same base image as the previous virtual machine and the system performing the process 600 may repeat the process 600 for the new virtual machine; Col. 10, lines 58–62: The virtualization layer may be any device, software or firmware used for providing a virtual computer platform for the virtual machines 277 and configured to manage the execution of the virtual machines 277 on the host computing system 279A). 22. Regarding claim 7, Roth teaches or suggests: “wherein using the virtual machine management application to create the replacement pool of virtual machines on the common virtualization layer comprises: storing the configuration and/or settings of the pool of virtual machines at a first time” (Col. 13, lines 3–18: The base image 310 may be a snapshot of a state of a computer system at an initial point in time (e.g., at a point in time early in the lifecycle of the virtual machine, such as upon completion of a bootup process, upon an initial attempt to connect to a certain network location, etc.). For example, the BASE IMAGE may include an installation of an operating system and software for performing tasks of the customer, and the base image may further be configured with various settings, such as settings for connecting to a particular network. The base image 310 may be configured to be instantiated into one or more virtual machines ( a scaling service), such as the scaling service described in conjunction with FIG. 2, may utilize the base image 310 to instantiate the finite instances (i.e., virtual machines with bounded lifetimes) when it provisions or de-provisions its finite instances); “using the virtual machine management application to create the replacement pool of virtual machines on the common virtualization layer with the same configuration and/or settings as the pool of virtual machines at a second time which is later than the first time” (Col. 13, lines 3–18: The base image 310 may be configured to be instantiated into one or more virtual machines ( a scaling service), such as the scaling service described in conjunction with FIG. 2, may utilize the base image 310 to instantiate the finite instances (i.e., virtual machines with bounded lifetimes) when it provisions or de-provisions its finite instances); Col. 18, lines 35–48: after the virtual machine is terminated and de-provisioned in 614, a new virtual machine having a bounded lifespan may be automatically instantiated from the same base image as the previous virtual machine and the system performing the process 600 may repeat the process 600 for the new virtual machine; Col. 10, lines 58–62: The virtualization layer may be any device, software or firmware used for providing a virtual computer platform for the virtual machines 277 and configured to manage the execution of the virtual machines 277 on the host computing system 279A). 23. Regarding claim 8, Roth and Keagy teach or suggest: “using the virtual machine management application to disable or suspend the operation of the pool of virtual machines before using the erasure application to erase each virtual machine of the pool of virtual machines” (Roth, Col. 6, lines 49–55: the scaling service is configured to terminate and re-launch virtual machines for security purposes. For example, each virtual machine of a set of virtual machines may be configured to expire after running for one hour, whereupon the virtual machine may be de-provisioned and a new virtual machine instantiated in its place; Keagy, Fig. 28, step 2820: “Halt operation of the virtual machine”; Col. 50, lines 13–21: process then stops (at 2820) the virtual machine’s operations through a set of override commands that turn-off the virtual machine. The process accesses (at 2830) the block device of the virtual machine and performs (at 2840) a secure deletion of the virtual machine configuration and data. Col. 35, lines 35–45: the software processes executed by the utility management module are defined by a set of scripts … hypervisor management module directs each utility management module to execute one or more of the scripts at specified instances in time through the various control provisioning messages). 24. Regarding claim 9, Roth teaches or suggests: “using the virtual machine management application to disable or suspend the operation of the pool of virtual machines before using the virtual machine management application to create the replacement pool of virtual machines on the common virtualization layer” (Col. 6, lines 49–55: disclosure, the scaling service is configured to terminate and re-launch virtual machines for security purposes. For example, each virtual machine of a set of virtual machines may be configured to expire after running for one hour, whereupon the virtual machine may be de-provisioned and a new virtual machine instantiated in its place; Col. 6, lines 17–23: launching virtual machines, executing the virtual machines for a period of time, terminating the virtual machines, and creating new virtual machines to replace the terminated virtual machines based on a schedule, event trigger, or other scheme; Col. 30, claim 5: “launch one or more virtual machines that are associated with a configuration specifying that an occurrence of a predetermined event is to cause a virtual machine of the one or more virtual machines to stop running”; Col. 3, lines 1–10: This predetermined event may be that the virtual machine has reached the end of its predetermined bounded lifetime. Other examples of predetermined events may be the receipt of a request through an application programming interface from a customer (i.e., a device operated by or on behalf of the customer), the computing resource service provider, or other authorized entity to terminate the virtual machine). 25. Regarding claim 10, Roth teaches or suggests: “enabling or initiating the operation of the replacement pool of virtual machines” (Col. 6, lines 49–55: disclosure, the scaling service is configured to terminate and RE-LAUNCH virtual machines for security purposes. For example, each virtual machine of a set of virtual machines may be configured to expire after running for one hour, whereupon the virtual machine may be de-provisioned and a new virtual machine instantiated in its place). 26. Regarding claim 17, it is the corresponding computer program product claim reciting similar limitations of commensurate scope as the method of claim 1. Therefore, it is rejected on the same basis as claim 1 above, including the following rationale: Roth teaches or suggests: “computer program which, when executed by a processing resource of a data eraser apparatus, causes the data eraser apparatus to perform” (Col. 9, lines 55–60: scaling service manager 280 may include software instructions stored in memory, which, when executed by one or more processors, manage program execution capacity for the scaling service; Col. 28, lines 43–50: Processes described (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions and may be implemented as code (e.g., executable instructions, one or more computer programs or one or more applications) executing collectively on one or more processors; See cited teachings of Roth and Keagy, as applied in rejecting claim 1, teaching “method for securely erasing and replacing a pool of virtual machines”). 27. Regarding claim 18, it is the corresponding system or apparatus claim reciting similar limitations of commensurate scope as the method of claim 1. Therefore, it is rejected on the same basis as claim 1 above, including the following rationale: Roth and Keagy teach or suggest: “data eraser apparatus is configured to perform the method for securely erasing and replacing a pool of virtual machines” (Roth, Col. 9, lines 55–60: scaling service manager 280 may include software instructions stored in memory, which, when executed by one or more processors, manage program execution capacity for the scaling service; Col. 28, lines 43–50: Processes described (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions and may be implemented as code (e.g., executable instructions, one or more computer programs or one or more applications) executing collectively on one or more processors; See cited teachings of Roth and Keagy, as applied in rejecting claim 1, teaching “method for securely erasing and replacing a pool of virtual machines”). 28. Regarding claim 19, Roth and Keagy teach or suggest (the claimed element of): “a processing resource which is configured to control the data eraser apparatus so as to perform the method” (Roth, Col. 9, lines 55–60: scaling service manager 280 may include software instructions stored in memory, which, when executed by one or more processors, manage program execution capacity for the scaling service; Col. 28, lines 43–50: Processes described (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions and may be implemented as code (e.g., executable instructions, one or more computer programs or one or more applications) executing collectively on one or more processors; See cited teachings of Roth and Keagy, as applied in rejecting claim 1, teaching “method for securely erasing and replacing a pool of virtual machines”). B. 29. Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over (A) Roth in view of (B) Keagy, as applied to claim 1 above, and further in view of (C) Munjal. 30. Regarding claim 5, Keagy teaches or suggests “using the erasure application to erase each virtual machine of the pool of virtual machines” as applied in rejecting claim 1 above. Roth and Keagy do not teach “generating an erasure verification report containing data indicative of the degree, extent and/or successful completion, of the erasure of each virtual machine of the pool of virtual machines once erasure of each virtual machine of the pool of virtual machines is completed.” (C) Munjal, in the context of Roth and Keagy’s teachings, teaches or suggests “generating an erasure verification report containing data indicative of the degree, extent and/or successful completion, of the erasure of each virtual machine of the pool of virtual machines once erasure of each virtual machine of the pool of virtual machines is completed” (¶ 45: As shown in FIG. 2B, once data erasure verification is completed, the individual computing units 104 can transmit verification report 144 to the first enclosure controller 105a via the same IPMI or other suitable interfaces. In certain embodiments, the verification report 144 can include data indicating a failure (i.e., data at least not completely erased), a successful completion, or a nonperformance ( e.g., drive not readable) of the requested data erasure verification on one or more persistent storage devices 124. In other embodiments, the verification report 144 can also include a percentage of audited data that has been erased or not erased on a particular persistent storage device 124. In further embodiments, the verification report 144 can also include data indicating a start time, an elapsed period, a complete time, an error code, an associated secure data erasure technique applied …. The first enclosure controller 105a can then aggregate the received verification report 144 from the individual computing units 104 and transmit an aggregated verification report 144' to the administrator 121 via the management network 109. Based on the received aggregated verification report 144', the administrator 121 can then identify one or more of the computing units 104 and/or persistent storage devices 124 for manual inspection, performing additional audit, or other suitable operations). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of (C) Munjal with those of Roth and Keagy to verify and provide an aggregate verification report of the secure deletion (erasure) of virtual machines. The motivation or advantage to do so is to provide for the complete audit and administrative confirmation of the deletion/erasure operations before releasing and re-allocating shared resources to another user or host environment. C. 31. Claims 11–12 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Roth in view of (B) Keagy, as applied to claim 1 above, and further in view of (D) Moran. 32. Regarding claim 11, Roth teaches or suggests “the pool of virtual machine” Col. 8, lines 52–55: The previously requested virtual machines 277 may be members of an auto-scaling group allocated to the customer; Fig. 2 and Col. 9, lines 16–30: example data center 270 includes a number of physical host computing systems (host computing systems 275A-75B a scaling service manager 280 of the **scaling service**. In this environment 200, the host computing systems 275A-75B each provide multiple virtual machines 277 and have a virtual machine manager 275 to manage those virtual machines …. Each of the virtual machines provided by a host computing system may be used as a distinct computing node for the scaling service, such as to have a first virtual machine computing node on a host computing system be part of a first computing node group for a first user). Roth and Keagy do not teach “wherein the pool of virtual machines comprises a pool of virtual desktops and wherein the virtual machine management application comprises a virtual desktop management application or virtual desktop infrastructure (VDI) software.” (D) Moran however teaches or suggests: “wherein the pool of virtual machines comprises a pool of virtual desktops and wherein the virtual machine management application comprises a virtual desktop management application or virtual desktop infrastructure (VDI) software” (Col. 3, lines 35–48: Embodiments are directed to a system and method for optimizing backup and restore operations in virtual desktop environments. In an embodiment, the underlying backup system may be a variable length deduplication system that stores unique daily changes while maintaining daily full backups for immediate, single-step restores to facilitate fast, daily full backups for virtual environments, remote offices, enterprise applications, network-attached storage (NAS) servers, and desktop/laptop computers. The backup system is used with a desktop broker or desktop virtualization product that provides remote-desktop capabilities to users using virtualization technology. Examples of such desktop brokers include VMware Horizon® View; Col. 6, lines 24–35: EUC architecture 200 typically encompasses components that require backup and recovery to protect a desktop environment, including: a virtual desktop infrastructure 202, virtual desktop 204, and user profile and data 206. The virtual desktop infrastructure includes a desktop broker and one or more servers for database functions and file/data management functions. A hypervisor interfaces with the individual VM virtual desktops (running respective agents) that comprise the virtual desktop 204. The user 201 interacts with the desktop broker interface to access the virtual desktop client agents; Col. 6,lines 46–50: The virtual desktop infrastructure of an EUC environment comprises the desktop brokers to handle desktop LIFECYCLE MANAGEMENT and, optionally, an external database system to keep track of the broker and desktop configurations; Col. 7, lines 33–41: desktop broker within the virtual desktop infrastructure 202 provides personalized virtual desktops to end-users. With the desktop broker (e.g., VMware Horizon View), administrators can virtualize the OS, applications, and user data while gaining control, efficiency, and security by having desktop data in a data center. FIG. 3 illustrates an example desktop broker architecture under an embodiment. The example of FIG. 3 is directed to or contains reference to the VMware Horizon View desktop broker; Col. 7, lines 45–50: A view connection server 302 orchestrates the EUC environment 300. It assigns virtual desktops 306 to users, authenticates users, monitors the state of the virtual desktops, and starts and stops desktops based on demand and the administrative configuration). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of (D) Moran with those of Roth and Keagy to incorporate a desktop broker to configure and manage (administer) a pool of virtual desktops under a virtual desktop environment or infrastructure. The motivation or advantage to do so is to provide for the centralized management of end-user computing (EUC) environments in business or IT organizations so as to optimize the sharing of common/enterprise resources. 33. Regarding claim 12, Moran teaches or suggests “wherein the virtual machine management application comprises VMware Horizon” (Col. 3, lines 35–48: Examples of such desktop brokers include VMware Horizon® View). D. 34. Claims 13–15 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Roth in view of (B) Keagy and (D) Moran, as applied to claim 12 above, and further in view of (E) Mahapatra. 35. Regarding claim 13, Roth, Keagy and Moran do not teach “wherein the method is defined by a VMware Orchestrator workflow.” (E) Mahapatra however teaches or suggests: “wherein the method is defined by a VMware Orchestrator workflow” (Col. 2, lines 28–42: A user can develop a workflow using a workflow design tool, such as available in the VMWARE™ vCenter Orchestrator …. Generally, a workflow embodies a service fulfillment process. One example would 35 be a workflow that adds a new tenant and provisions resources for that tenant. Another example would be a workflow that instantiates and deploys a virtual application. Yet another example would be a workflow that removes a tenant. Further examples include commissioning a virtual local area network, provisioning a virtual machine, decommissioning a virtual machine; Col. 3, lines 5–30: The workflow execution framework 210 can be implemented as a layer of software that handles workflow execution requests. Physically, the workflow execution framework 210 can be implemented in a computer coupled to a virtual computing center 212 …. The workflow 100 could commission, provision or decommission one or more virtual machines 218, a virtual local area network (VLAN) 216, or 15 other virtual or physical arrangement of the physical resources 214 available from the virtual computing center 212, as a service fulfillment process …. referring to FIG. 2B, the workflow execution framework 210 intercepts an execution request from one of the portals 204, 206, 208 for a workflow 100, and performs various actions). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of (E) Mahapatra with those of Roth, Keagy, and Moran to define and design a workflow using a commercially-available design tool. The motivation or advantage to do so is to provide for efficient, streamlined design, implementation, and maintenance of infrastructure management tasks (i.e. provisioning and decommissioning of virtual desktop pools). 36. Regarding claim 14, Roth and Mahapatra teach or suggests: “wherein the VMware Orchestrator workflow calls the virtual machine management application to create the replacement pool of virtual machines on the common virtualization layer” (Roth, Col. 6, lines 49–55: the scaling service is configured to terminate and re-launch virtual machines for security purposes. For example, each virtual machine of a set of virtual machines may be configured to expire after running for one hour, whereupon the virtual machine may be de-provisioned and a new virtual machine instantiated in its place; Mahapatra, Col. 2, lines 28–42 and Col. 3, lines 5–30, teaching creating and executing a workflow designed with VMWARE™ vCenter Orchestrator; Col. 1, Background: Many computer tasks can be automated with the use of workflows, which are graphical presentations of sequences of steps; Col. 8, lines 23–26: a controller could include a first module and a second module. A controller could be configured to perform various actions, e.g., of a method, an application, a layer or an agent). 37. Regarding claim 15, Keagy and Mahapatra teach or suggests: “wherein the VMware Orchestrator workflow calls the erasure application to erase each virtual machine of the pool of virtual machines” (Keagy, Col. 49, line 59 to Col. 50, line 21: E. Secure Deletion of Virtual Machines provide automated secure deletion for a virtual server that is removed from the node's resources. For instance, rather than simply reallocating the resources to a different Mahapatra, Col. 2, lines 28–42 and Col. 3, lines 5–30, teaching creating and executing a workflow designed with VMWARE™ vCenter Orchestrator; Col. 1, Background: Many computer tasks can be automated with the use of workflows, which are graphical presentations of sequences of steps; Col. 8, lines 23–26: a controller could include a first module and a second module. A controller could be configured to perform various actions, e.g., of a method, an application, a layer or an agent). E. 38. Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over (A) Roth in view of (B) Keagy and (D) Moran, as applied to claim 12 above, and further in view of (F) Fenton. 39. Regarding claim 16, Roth teaches or suggests “wherein the method is initiated, invoked or triggered” (Col. 12, lines 1–5: that other triggers may be used to cause termination and replacement of virtual machines 277, such as an intrusion being detected, execution errors, and express instructions to do so, such as from the customer, system administrator, or other authorized entity). Roth, Keagy and Moran do not teach “initiated, invoked or triggered via a VMware Horizon graphical user interface.” (F) Fenton teaches or suggests “method is initiated, invoked or triggered via a VMware Horizon graphical user interface” (see pg. 1: Accessing Horizon Console; pg. 3: By selecting a machine, I was able to perform additional functions, such as restarting and resetting. When I clicked Add while on the Desktop page, it brought up a desktop pool creation wizard (Figure 6) that looked very different from the Horizon 7 Administrator wizard (Figure 7), but it did allow me the same functionality as when creating desktop pools). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of (F) Fenton with those of Roth, Keagy, and Moran to provide a Horizon administrative console. The motivation or advantage to do so is to provide for an intuitive graphical interface for managing virtual desktop pools. (See Moran, Col. 7, lines 45–50: A view connection server 302 orchestrates the EUC environment 300. It assigns virtual desktops 306 to users, authenticates users, monitors the state of the virtual desktops, and starts and stops desktops based on demand and the administrative configuration). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN C WU whose telephone number is (571)270-5906. The examiner can normally be reached Monday through Friday, 8:30 A.M. to 5:00 P.M.. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Aimee J. Li can be reached on (571)272-4169. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BENJAMIN C WU/Primary Examiner, Art Unit 2195 January 3, 2026