Abstract: A selection of a document that includes a command and a parameter is received, and a user is caused to be associated with a policy that grants permission to execute the document. A request is received, from a requestor, to execute the document, the request including a parameter value, and the requestor is determined to be the user associated with the policy. The user is validated to have access to a resource indicated by the parameter value, and the command is caused to be executed against the resource.

Abstract: The adjustment of a number of application launch endpoint servers that may be used to service incoming connection requests. Application launch endpoints are entities, such as running code, that may be used to launch other applications. Examples of endpoints include virtual machines or sessions in a session management server. The system load associated with the incoming connection rate and number of users is monitored. In response, an add threshold and a perhaps a remove threshold is calculated. If the system load rises above the add threshold, application launch endpoint server(s) are added to the set of endpoints that can handle incoming connection requests. If the system load falls below the remove threshold, application launch endpoint server(s) are removed from to the set of endpoints. The add and remove thresholds may be calculated per tenant, and adjusted based on tenant behavior.

Abstract: Embodiments are directed to provisioning private virtual machines in a public cloud and to managing private virtual machines hosted on a public cloud. In one scenario, a virtual network is established at a public cloud environment based on a request received from a private domain, and an authenticated session is established between the virtual network and the private domain. A virtual machine is hosted within the virtual network. The virtual machine is configured to be accessible to a user authenticated to the virtual machine, and is configured to run an application using data received from the private domain. Private data is received from the private domain over the authenticated session, and the authenticated user is provided access to the application running at the virtual machine, including providing the authenticated user access to the private data.

Abstract: A method for executing commands on virtual machine instances in a distributed computing environment can include receiving, from a client computing device, a command execution request for executing a command on one or more virtual machine instances within the distributed computing environment. The command execution request includes a tag, and instance identification information for the one or more virtual machine instances is retrieved based on the tag. A command specification document associated with the command specified by the command execution request is retrieved. A command execution message, including the command specification document and at least one command parameter, is communicated to each of the one or more virtual machine instances. A command execution result from executing the command at the one or more virtual machine instances is received from the one or more virtual machine instances. The command execution result is sent to the client computing device.

Abstract: Embodiments are directed to provisioning private virtual machines in a public cloud and to managing private virtual machines hosted on a public cloud. In one scenario, a computer system receives authentication information for a private domain from an entity. The entity indicates that their private virtual machines are to be provisioned on a public cloud, where the entity's private domain is accessible using the authentication information. The computer system establishes a virtual network on the public cloud which is configured to host the entity's private virtual machines, where each virtual machine hosts remote applications. The computer system establishes an authenticated connection from the virtual network to the entity's private domain using the received authentication information and provides the entity's private virtual machines on the public cloud.

Abstract: The management of bandwidth utilization in a network system that has multiple users. The system identifies the current set of users that are accessing the network by tracking which users are newly accessing the network, which users have ceased accessing the network, and which users continue to access the network over a period of time. The system then guarantees that these identified users will have a certain minimum bandwidth over the period of time. The system then enforces the guaranteed minimum bandwidth for each of the users so that they have no less than the corresponding guaranteed minimum bandwidth. Thus, even if the network bandwidth utilization would be saturated if all requests were satisfied, the system may continue operating while provided some guaranteed level of bandwidth to each user.

Abstract: The updating of virtual machines. A task broker schedules update tasks for multiple virtual machines on the host machine. As each update task is to be performed, if the virtual machine is not currently running, as might be the case for a personal virtual machine, the virtual machine is caused to begin running to allow the update task to be performed on the virtual machine. Also, a pooled virtual machine is updated by copying information from the old virtual hard drive to a location to allow the information to be preserved as the master image is updated. After the update is completed, the virtual machine is formed, associated with the new virtual hard drive, and copied back to the virtual machine.

Abstract: Embodiments are directed to authenticating a user to a remote application provisioning service. In one scenario, a client computer system receives authentication credentials from a user at to authenticate the user to a remote application provisioning service that provides virtual machine-hosted remote applications. The client computer system sends the received authentication credentials to an authentication service, which is configured to generate an encrypted token based on the received authentication credentials. The client computer system then receives the generated encrypted token from the authentication service, stores the received encrypted token and the received authentication credentials in a data store, and sends the encrypted token to the remote application provisioning service. The encrypted token indicates to the remote application provisioning service that the user is a valid user.

Abstract: The adjustment of a number of application launch endpoint servers that may be used to service incoming connection requests. Application launch endpoints are entities, such as running code, that may be used to launch other applications. Examples of endpoints include virtual machines or sessions in a session management server. The system load associated with the incoming connection rate and number of users is monitored. In response, an add threshold and a perhaps a remove threshold is calculated. If the system load rises above the add threshold, application launch endpoint server(s) are added to the set of endpoints that can handle incoming connection requests. If the system load falls below the remove threshold, application launch endpoint server(s) are removed from to the set of endpoints. The add and remove thresholds may be calculated per tenant, and adjusted based on tenant behavior.

Abstract: Embodiments are directed to provisioning private virtual machines in a public cloud and to managing private virtual machines hosted on a public cloud. In one scenario, a computer system receives authentication information for a private domain from an entity. The entity indicates that their private virtual machines are to be provisioned on a public cloud, where the entity's private domain is accessible using the authentication information. The computer system establishes a virtual network on the public cloud which is configured to host the entity's private virtual machines, where each virtual machine hosts remote applications. The computer system establishes an authenticated connection from the virtual network to the entity's private domain using the received authentication information and provides the entity's private virtual machines on the public cloud.

Abstract: Embodiments are directed to authenticating a user to a remote application provisioning service. In one scenario, a client computer system receives authentication credentials from a user at to authenticate the user to a remote application provisioning service that provides virtual machine-hosted remote applications. The client computer system sends the received authentication credentials to an authentication service, which is configured to generate an encrypted token based on the received authentication credentials. The client computer system then receives the generated encrypted token from the authentication service, stores the received encrypted token and the received authentication credentials in a data store, and sends the encrypted token to the remote application provisioning service. The encrypted token indicates to the remote application provisioning service that the user is a valid user.

Abstract: The updating of virtual machines. A task broker schedules update tasks for multiple virtual machines on the host machine. As each update task is to be performed, if the virtual machine is not currently running, as might be the case for a personal virtual machine, the virtual machine is caused to begin running to allow the update task to be performed on the virtual machine. Also, a pooled virtual machine is updated by copying information from the old virtual hard drive to a location to allow the information to be preserved as the master image is updated. After the update is completed, the virtual machine is formed, associated with the new virtual hard drive, and copied back to the virtual machine.

Abstract: As described herein, a computer system receives a first indication that an interactive login session is to be established. The first indication includes user credentials for establishing the interactive login session. The computer system then establishes the interactive login session using the received user credentials. The interactive login session includes a data transfer endpoint for receiving data from other sessions. The computer system receives a second indication that a child session is to be established in parallel to the established interactive login session. The child session is configured to direct input and output data through a loopback connection to the data transfer endpoint of the interactive login session. The computer system also establishes the child session using the received user credentials. The child session then transfers at least a portion of data to the data transfer endpoint of the interactive login session using the loopback connection.

Abstract: The management of data storage channel utilization in a computing system that has multiple users. The system receives file-level requests from requesters and then creates a history for each requester. Upon evaluating the history of each requester, the system determines whether to delay the file-level requests from entering the file system stack based on the result of the evaluation. The system delays one or more of the file-level requests if the history of the corresponding requester meets one or more criteria. If the history of the corresponding requester does not meet the criteria, the system allows the file-level requests to be passed to the file system stack without being delayed.

Abstract: The updating of virtual machines. A task broker schedules update tasks for multiple virtual machines on the host machine. As each update task is to be performed, if the virtual machine is not currently running, as might be the case for a personal virtual machine, the virtual machine is caused to begin running to allow the update task to be performed on the virtual machine. Also, a pooled virtual machine is updated by copying information from the old virtual hard drive to a location to allow the information to be preserved as the master image is updated. After the update is completed, the virtual machine is formed, associated with the new virtual hard drive, and copied back to the virtual machine.

Abstract: Exemplary techniques for enabling single sign-on to an operating system configured to conduct a remote presentation session are disclosed. In an exemplary embodiment, a user credential can be encrypted using an encryption key generated by a remote presentation session server and sent to a client. The client can send the encrypted user credential to the remote presentation session server. The remote presentation session server can decrypt the user credential and use it to log a user into an operating system running on the remote presentation session server. In addition to the foregoing, other techniques are described in the claims, the detailed description, and the figures.

Abstract: The updating of virtual machines. A task broker schedules update tasks for multiple virtual machines on the host machine. As each update task is to be performed, if the virtual machine is not currently running, as might be the case for a personal virtual machine, the virtual machine is caused to begin running to allow the update task to be performed on the virtual machine. Also, a pooled virtual machine is updated by copying information from the old virtual hard drive to a location to allow the information to be preserved as the master image is updated. After the update is completed, the virtual machine is formed, associated with the new virtual hard drive, and copied back to the virtual machine.

Abstract: The management of bandwidth utilization in a network system that has multiple users. The system identifies the current set of users that are accessing the network by tracking which users are newly accessing the network, which users have ceased accessing the network, and which users continue to access the network over a period of time. The system then guarantees that these identified users will have a certain minimum bandwidth over the period of time. The system then enforces the guaranteed minimum bandwidth for each of the users so that they have no less than the corresponding guaranteed minimum bandwidth. Thus, even if the network bandwidth utilization would be saturated if all requests were satisfied, the system may continue operating while provided some guaranteed level of bandwidth to each user.

Abstract: The management of data storage channel utilization in a computing system that has multiple users. The system receives file-level requests from requesters and then creates a history for each requester. Upon evaluating the history of each requester, the system determines whether to delay the file-level requests from entering the file system stack based on the result of the evaluation. The system delays one or more of the file-level requests if the history of the corresponding requester meets one or more criteria. If the history of the corresponding requester does not meet the criteria, the system allows the file-level requests to be passed to the file system stack without being delayed.

Abstract: As described herein, a computer system receives a first indication that an interactive login session is to be established. The first indication includes user credentials for establishing the interactive login session. The computer system then establishes the interactive login session using the received user credentials. The interactive login session includes a data transfer endpoint for receiving data from other sessions. The computer system receives a second indication that a child session is to be established in parallel to the established interactive login session. The child session is configured to direct input and output data through a loopback connection to the data transfer endpoint of the interactive login session. The computer system also establishes the child session using the received user credentials. The child session then transfers at least a portion of data to the data transfer endpoint of the interactive login session using the loopback connection.