The main one is to have _all_ machines patched through windows update. That is what will protect you.
SMBv1 is an outdated protocol, in which there have been some severe vulnerabilities disclosed in the last few weeks, hence why I recommended to get rid of it at the same time.
That being said, the vulnerability being exploited here is in SMBv2, hence why patching all machines is crucial.
If you are working with SCCM and 20,000+ clients (computers), you will know that all machines will never be patched. It just does not happen. On any given large network there will always be a certain number of unpatched clients. There are a myriad of reasons for patching to fail, from advertisement errors to installation issues, to machines simply being offline (and later coming back online).
You are right that this is often the reality of things. Some systems also will just never be patched because the software running on them stops working if you do and the vendor cannot or will not provide an update that addresses this.
However, in such cases it becomes crucial to have e.g. proper network segmentation in place to help mitigate the risk.
Unfortunately, at this time, there are seldom perfect solutions when it comes to security and a patching scenario can only do so much. In this case, patches are available, but the day a ransomware starts using proper 0-day we'll see a different scenario play out.
It therefore remains important to also keep focus on the reduction of attack surface, and the reduction of software complexity, besides resolving individual technical vulnerabilities.
SMBv1 is an outdated protocol, in which there have been some severe vulnerabilities disclosed in the last few weeks, hence why I recommended to get rid of it at the same time.
That being said, the vulnerability being exploited here is in SMBv2, hence why patching all machines is crucial.