Desktops are the primary infiltration point for ransomware and malware in general. One of the technologies we have implemented to fight ransomware is Virtual Desktop Infrastructure (VDI). We use pooled virtual desktops which means that every time someone logs off their virtual desktop (VD) it is deleted and a new one is booted from an image. This allows us to quickly dispose of a PC if it gets infected with any malware. Most of the physical workstations are ThinClients. We have some physical ThickClients (Windows PCs or laptops) that connect to VDI and I am hoping to get rid of those or at least lock them down where they cannot access anything on the network except VDI or the guest VLAN to the internet.
VDI does not prevent ransomware but does allow you to contain it and limit the damage, as long as you catch it quickly. Ransomware is not the reason we moved to VDI but I have found that it helps the fight against it.