Write Outlook security keys to HKLM for domain environments

On domain PCs, HKCU policies are controlled by GPO and the
Trust Center settings are greyed out. Now also writes to HKLM
(requires admin rights) which overrides GPO settings.

Shows orange hint in settings when GPO lock is detected:
"Auf Domaenen-PCs: App einmalig als Admin starten!"

The app tries all 8 combinations: HKCU/HKLM x Policies/direct
x 16.0/15.0. Silently skips paths where permissions are denied.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/StarfaceOutlookSync/Models/UserSettings.cs

@@ -41,14 +41,7 @@ namespace StarfaceOutlookSync.Models
 
         public void ApplyOutlookSecuritySetting()
         {
-            // Alle Office-Versionen abdecken (16.0 = 2016/2019/2021/2024/365, 15.0 = 2013)
-            // Beide Pfade versuchen: Policies (GPO-Pfad) und direkt (normaler User-Pfad)
             var versions = new[] { "16.0", "15.0" };
-            var prefixes = new[]
-            {
-                @"Software\Policies\Microsoft\Office",   // GPO-Pfad (braucht ggf. Rechte)
-                @"Software\Microsoft\Office"              // Normaler User-Pfad (immer schreibbar)
-            };
 
             var securityValues = new (string name, int value)[]
             {
@@ -65,32 +58,63 @@ namespace StarfaceOutlookSync.Models
                 ("AdminSecurityMode", 3),
             };
 
+            // In alle moeglichen Pfade schreiben (HKCU + HKLM, Policies + direkt)
+            var roots = new[] { Registry.CurrentUser, Registry.LocalMachine };
+            var prefixes = new[]
+            {
+                @"Software\Policies\Microsoft\Office",
+                @"Software\Microsoft\Office"
+            };
+
             foreach (var ver in versions)
             {
-                foreach (var prefix in prefixes)
+                foreach (var root in roots)
                 {
-                    var regPath = $@"{prefix}\{ver}\Outlook\Security";
+                    foreach (var prefix in prefixes)
-
-                    try
                     {
-                        if (AutoAcceptOutlookPrompt)
+                        var regPath = $@"{prefix}\{ver}\Outlook\Security";
+                        try
                         {
-                            var key = Registry.CurrentUser.CreateSubKey(regPath);
+                            if (AutoAcceptOutlookPrompt)
-                            if (key != null)
                             {
-                                foreach (var (name, value) in securityValues)
+                                var key = root.CreateSubKey(regPath);
-                                    key.SetValue(name, value, RegistryValueKind.DWord);
+                                if (key != null)
-                                key.Close();
+                                {
+                                    foreach (var (name, value) in securityValues)
+                                        key.SetValue(name, value, RegistryValueKind.DWord);
+                                    key.Close();
+                                }
+                            }
+                            else
+                            {
+                                try { root.DeleteSubKey(regPath, false); } catch { }
                             }
                         }
-                        else
+                        catch { } // Kein Fehler wenn Rechte fehlen - naechsten Pfad versuchen
-                        {
-                            try { Registry.CurrentUser.DeleteSubKey(regPath, false); } catch { }
-                        }
                     }
-                    catch { }
                 }
             }
         }
+
+        /// <summary>
+        /// Prueft ob die Outlook-Sicherheitseinstellung per GPO blockiert wird.
+        /// </summary>
+        public static bool IsOutlookSecurityLockedByPolicy()
+        {
+            try
+            {
+                // Wenn HKLM Policies gesetzt sind und wir dort nicht schreiben koennen
+                var key = Registry.LocalMachine.OpenSubKey(
+                    @"Software\Policies\Microsoft\Office\16.0\Outlook\Security", false);
+                if (key != null)
+                {
+                    var val = key.GetValue("AdminSecurityMode");
+                    key.Close();
+                    if (val != null) return true;
+                }
+            }
+            catch { }
+            return false;
+        }
     }
 }

src/StarfaceOutlookSync/UI/SettingsForm.cs

@@ -47,11 +47,15 @@ namespace StarfaceOutlookSync.UI
                 Checked = _settings.AutoAcceptOutlookPrompt
             };
 
+            var hintText = "Hinweis: Outlook muss nach Aenderung neu gestartet werden.";
+            if (UserSettings.IsOutlookSecurityLockedByPolicy())
+                hintText += "\nAuf Domaenen-PCs: App einmalig als Admin starten!";
+
             var lblHint = new Label
             {
-                Text = "Hinweis: Outlook muss nach Aenderung dieser Option\nneu gestartet werden.",
+                Text = hintText,
-                Left = 38, Top = 102, Width = 300, Height = 32,
+                Left = 38, Top = 102, Width = 310, Height = 36,
-                ForeColor = Color.Gray,
+                ForeColor = UserSettings.IsOutlookSecurityLockedByPolicy() ? Color.OrangeRed : Color.Gray,
                 Font = new Font("Segoe UI", 8)
             };