I believe that editing the regkey will invalidate the windows registration, so it is less likely than a spoofed MAC address - particularly given your users are in a corporate environment.
However, that brings up another scenario: in a corp environment, often machines are imaged, which would mean multiple machines may have the same GUID, since they all use the same disk image to start.
Getting a good machine ID for Windows is more or less impossible. There are several approaches that have been discussed / used at length that you can find on this forum. MBS Plugins offers a way to get a unique machine ID in one of their plugins - but I found that even that has a tendency to change over time with Windows Updates, upgrading from Win 8 to Win 10, hardware changes, etc.
Here is the general approach I use to limit the number of physical installations of my app: Have your app create it’s own unique ID per machine when the app is first installed / run (or pull a fresh UUID from your registration server). Then have it record that somewhere that always stays with the installation, in the app’s database or tucked into the application data directory, etc. Any time an instance of my app starts up it bumps up against the registration server and says “hey, I’m license 1234, and my machine ID is {uuid generated at first install}. Here’s a bunch of other information that may also be useful in identifying me: my system name, my screen count and sizes, my windows system hard drive size in bytes, my Widows GUID (if it exists), all the MAC addresses for Wifi or Ethernet cards attached, etc.”
My registration server keeps track of all this, and I’ve built backoffice tools that let me quickly look at a user’s license and see a list of all the parameters reported by all the computers they have used. It’s obvious when a license has been abused, and I can easily contact the user to see what’s up or deactivate the license, etc.
Keep in mind that it is impossible to stop all piracy, and you will see diminishing returns on your efforts to thwart it. In my experience, most users are honest. Those that are not won’t pay for your app even if you do force it not to work until they do.