diff --git a/doc/releases/migration-guide-4.4.rst b/doc/releases/migration-guide-4.4.rst
index f20c6bc736697..7dd1f634e364c 100644
--- a/doc/releases/migration-guide-4.4.rst
+++ b/doc/releases/migration-guide-4.4.rst
@@ -52,6 +52,28 @@ Other subsystems
 Modules
 *******
 
+OpenThread
+==========
+
+* The following Kconfigs options were renamed:
+
+  * ``CONFIG_OPENTHREAD_MBEDTLS_CHOICE`` to
+    :kconfig:option:`CONFIG_OPENTHREAD_SECURITY_DEFAULT_CONFIG`
+  * ``CONFIG_CUSTOM_OPENTHREAD_SECURITY`` to
+    :kconfig:option:`CONFIG_OPENTHREAD_SECURITY_CUSTOM_CONFIG`
+
+* :kconfig:option:`CONFIG_OPENTHREAD_CRYPTO_PSA` no more depends on
+  :kconfig:option:`CONFIG_PSA_CRYPTO_CLIENT`, but instead selects
+  :kconfig:option:`CONFIG_PSA_CRYPTO`.
+
+* In builds without TF-M, :kconfig:option:`CONFIG_SECURE_STORAGE` is now automatically
+  implied if :kconfig:option:`CONFIG_OPENTHREAD_SECURITY_DEFAULT_CONFIG` and
+  :kconfig:option:`CONFIG_OPENTHREAD_CRYPTO_PSA` are set. This
+  guarantees that a PSA ITS implementation is available and it requires a backend
+  for Secure Storage (Settings, ZMS, or a custom one) to be configured.
+
+* :kconfig:option:`CONFIG_OPENTHREAD_CRYPTO_PSA` is now enabled by default.
+
 Trusted Firmware-M
 ==================
 
diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig
index 96d176c1ebde0..333717361456f 100644
--- a/modules/mbedtls/Kconfig
+++ b/modules/mbedtls/Kconfig
@@ -192,7 +192,8 @@ if MBEDTLS_ENABLE_HEAP
 
 config MBEDTLS_HEAP_SIZE
 	int "Heap size for mbed TLS"
-	default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
+	default 15360 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
+	default 1024 if OPENTHREAD_CRYPTO_PSA
 	default 512
 	help
 	  The mbedtls routines will use this heap if enabled.
diff --git a/modules/mbedtls/Kconfig.mbedtls b/modules/mbedtls/Kconfig.mbedtls
index 34052f44a1f73..922582fc172e4 100644
--- a/modules/mbedtls/Kconfig.mbedtls
+++ b/modules/mbedtls/Kconfig.mbedtls
@@ -134,7 +134,7 @@ config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
 
 config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 	bool "ECJPAKE based ciphersuite modes"
-	depends on MBEDTLS_ECJPAKE_C
+	depends on MBEDTLS_ECJPAKE_C || PSA_WANT_ALG_JPAKE
 
 if MBEDTLS_SSL_PROTO_TLS1_3
 
diff --git a/modules/openthread/Kconfig b/modules/openthread/Kconfig
index 2bb53572047b2..09368f3c5e741 100644
--- a/modules/openthread/Kconfig
+++ b/modules/openthread/Kconfig
@@ -147,54 +147,105 @@ config OPENTHREAD_SHELL
 	depends on SHELL
 
 config MBEDTLS_PROMPTLESS
-	default y if !CUSTOM_OPENTHREAD_SECURITY
+	default y if OPENTHREAD_SECURITY_DEFAULT_CONFIG
 
-choice OPENTHREAD_SECURITY
-	prompt "OpenThread security"
-	default OPENTHREAD_MBEDTLS_CHOICE
+choice OPENTHREAD_SECURITY_CONFIG
+	prompt "OpenThread security configuration"
+	default OPENTHREAD_SECURITY_DEFAULT_CONFIG
 
-config CUSTOM_OPENTHREAD_SECURITY
-	bool "Custom"
+config OPENTHREAD_SECURITY_CUSTOM_CONFIG
+	bool "Custom configuration"
 	help
 	  Security settings will be controlled directly by the user.
-	  Enabling this setting will give access to full control of mbed TLS
+	  Enabling this setting will give access to full control of Mbed TLS
 	  configuration.
 
-config OPENTHREAD_MBEDTLS_CHOICE
-	bool "mbed TLS built-in"
-	select OPENTHREAD_MBEDTLS
+config OPENTHREAD_SECURITY_DEFAULT_CONFIG
+	bool "Default configuration"
 	help
-	  Use the OpenThread mbed TLS configuration pre-defined security scheme.
+	  Use the OpenThread Mbed TLS configuration pre-defined security scheme.
 
-endchoice
+endchoice # OPENTHREAD_SECURITY
+
+config OPENTHREAD_CRYPTO_PSA
+	bool "PSA Crypto API"
+	default y
+	select PSA_CRYPTO
+	select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP
+	imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE
+	help
+	  Use PSA Crypto API as backend for cryptographic operations instead
+	  of legacy Mbed TLS.
 
-config OPENTHREAD_MBEDTLS
+if OPENTHREAD_SECURITY_DEFAULT_CONFIG
+
+config OPENTHREAD_CRYPTO_PSA_CONFIG
 	bool
-	select MBEDTLS
-	select MBEDTLS_ENABLE_HEAP
+	default y if OPENTHREAD_CRYPTO_PSA
+	imply SECURE_STORAGE if !BUILD_WITH_TFM
+	select PSA_WANT_KEY_TYPE_AES
+	select PSA_WANT_ALG_ECB_NO_PADDING
+	select PSA_WANT_KEY_TYPE_HMAC
+	select PSA_WANT_ALG_HMAC
+	select PSA_WANT_ALG_CCM
+	select PSA_WANT_ALG_SHA_256
+	select PSA_WANT_ALG_CMAC
+	select PSA_WANT_ALG_JPAKE if OPENTHREAD_COMMISSIONER_JOINER
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT if OPENTHREAD_COMMISSIONER_JOINER || \
+							OPENTHREAD_ECDSA
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT if OPENTHREAD_COMMISSIONER_JOINER || \
+							OPENTHREAD_ECDSA
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE if OPENTHREAD_COMMISSIONER_JOINER || \
+							  OPENTHREAD_ECDSA
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE if OPENTHREAD_COMMISSIONER_JOINER || \
+							OPENTHREAD_ECDSA
+	select PSA_WANT_ECC_SECP_R1_256 if OPENTHREAD_COMMISSIONER_JOINER || \
+					   OPENTHREAD_SRP
+	select PSA_WANT_ALG_ECDSA if OPENTHREAD_ECDSA
+	select PSA_WANT_ALG_DETERMINISTIC_ECDSA if OPENTHREAD_ECDSA
+	select PSA_WANT_ALG_ECDH if OPENTHREAD_ECDSA
+	select PSA_WANT_ALG_TLS12_PRF if OPENTHREAD_COMMISSIONER_JOINER
+	select PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS if OPENTHREAD_COMMISSIONER_JOINER
+	select PSA_WANT_ALG_HKDF if OPENTHREAD_TREL
+	select PSA_WANT_ALG_HKDF_EXTRACT if OPENTHREAD_TREL
+	select PSA_WANT_ALG_HKDF_EXPAND if OPENTHREAD_TREL
+
+config OPENTHREAD_CRYPTO_LEGACY_MBEDTLS_CONFIG
+	bool
+	default y if !OPENTHREAD_CRYPTO_PSA
 	select MBEDTLS_CIPHER_AES_ENABLED
 	select MBEDTLS_CIPHER_CCM_ENABLED
 	select MBEDTLS_SHA256
 	select MBEDTLS_ENTROPY_C
 	select MBEDTLS_CMAC
 	select MBEDTLS_CIPHER
-	select MBEDTLS_MD_C
-	select MBEDTLS_SSL_PROTO_TLS1_2 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
-	select MBEDTLS_SSL_PROTO_DTLS if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
-	select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
-	select MBEDTLS_ECJPAKE_C if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
-	select MBEDTLS_ECP_DP_SECP256R1_ENABLED if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER || \
-	    OPENTHREAD_SRP_CLIENT || OPENTHREAD_SRP_SERVER
-	select MBEDTLS_ECP_NIST_OPTIM if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
-	select MBEDTLS_CTR_DRBG_C if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
-	select MBEDTLS_HMAC_DRBG_C if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER || \
-	    OPENTHREAD_SRP_CLIENT || OPENTHREAD_SRP_SERVER
-	select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED if OPENTHREAD_ECDSA
+	select MBEDTLS_ECJPAKE_C if OPENTHREAD_COMMISSIONER_JOINER
+	select MBEDTLS_ECP_C if OPENTHREAD_COMMISSIONER_JOINER || OPENTHREAD_ECDSA
+	select MBEDTLS_ECP_DP_SECP256R1_ENABLED if OPENTHREAD_COMMISSIONER_JOINER || \
+						   OPENTHREAD_SRP
 	select MBEDTLS_ECDH_C if OPENTHREAD_ECDSA
 	select MBEDTLS_ECDSA_C if OPENTHREAD_ECDSA
 	select MBEDTLS_ECDSA_DETERMINISTIC if OPENTHREAD_ECDSA
+	select MBEDTLS_ECP_NIST_OPTIM if OPENTHREAD_COMMISSIONER_JOINER
+	select MBEDTLS_CTR_DRBG_C if OPENTHREAD_COMMISSIONER_JOINER
+	select MBEDTLS_HMAC_DRBG_C if OPENTHREAD_COMMISSIONER_JOINER || \
+				      OPENTHREAD_SRP
+
+config OPENTHREAD_MBEDTLS_TLS_CONFIG
+	bool
+	default y
+	select MBEDTLS
+	select MBEDTLS_ENABLE_HEAP
+	select MBEDTLS_MD_C
+	select MBEDTLS_SSL_PROTO_TLS1_2 if OPENTHREAD_COMMISSIONER_JOINER
+	select MBEDTLS_SSL_PROTO_DTLS if OPENTHREAD_COMMISSIONER_JOINER
+	select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED if OPENTHREAD_COMMISSIONER_JOINER
+	select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED if OPENTHREAD_ECDSA
 	select MBEDTLS_PK_WRITE_C if OPENTHREAD_ECDSA
-	select MBEDTLS_ECP_C if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER || OPENTHREAD_ECDSA
+	help
+	  TLS configuration of Mbed TLS.
+
+endif # OPENTHREAD_SECURITY_DEFAULT_CONFIG
 
 config OPENTHREAD_MBEDTLS_LIB_NAME
 	string "mbedtls lib name"
@@ -318,15 +369,6 @@ config OPENTHREAD_MAC_SOFTWARE_CSMA_BACKOFF_ENABLE
 	  Set y to enable software CSMA backoff. The option can be disabled if
 	  the radio has hardware support for this feature (IEEE802154_HW_CSMA).
 
-config OPENTHREAD_CRYPTO_PSA
-	bool "ARM PSA crypto API"
-	depends on PSA_CRYPTO_CLIENT
-	select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP
-	imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE
-	help
-	  Enable crypto backend library implementation based on ARM PSA crypto
-	  API instead of the default, using mbedTLS.
-
 config OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE
 	bool "Make MAC keys exportable"
 	depends on OPENTHREAD_PLATFORM_KEY_REF
diff --git a/modules/openthread/Kconfig.features b/modules/openthread/Kconfig.features
index 6f9df7809ec60..0c0c7ae2e58a3 100644
--- a/modules/openthread/Kconfig.features
+++ b/modules/openthread/Kconfig.features
@@ -215,6 +215,11 @@ config OPENTHREAD_JOINER
 	  mbedTLS heap than the default value. A minimum recommended value of
 	  CONFIG_MBEDTLS_HEAP_SIZE for the commissioning is 10KB.
 
+config OPENTHREAD_COMMISSIONER_JOINER
+	bool
+	default y
+	depends on OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
+
 config OPENTHREAD_LEGACY
 	bool "Legacy network support"
 
@@ -397,6 +402,11 @@ config OPENTHREAD_SRP_SERVER
 	select OPENTHREAD_NETDATA_PUBLISHER
 	select OPENTHREAD_ECDSA
 
+config OPENTHREAD_SRP
+	bool
+	default y
+	depends on OPENTHREAD_SRP_CLIENT || OPENTHREAD_SRP_SERVER
+
 config OPENTHREAD_SRP_SERVER_FAST_START
 	bool "SRP server fast start"
 
diff --git a/modules/openthread/platform/crypto_psa.c b/modules/openthread/platform/crypto_psa.c
index bab1afbd7e9dd..c4bcb89ff2229 100644
--- a/modules/openthread/platform/crypto_psa.c
+++ b/modules/openthread/platform/crypto_psa.c
@@ -44,6 +44,8 @@ static psa_key_type_t toPsaKeyType(otCryptoKeyType aType)
 		return PSA_KEY_TYPE_HMAC;
 	case OT_CRYPTO_KEY_TYPE_ECDSA:
 		return PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1);
+	case OT_CRYPTO_KEY_TYPE_DERIVE:
+		return PSA_KEY_TYPE_DERIVE;
 	default:
 		return PSA_KEY_TYPE_NONE;
 	}
@@ -58,6 +60,8 @@ static psa_algorithm_t toPsaAlgorithm(otCryptoKeyAlgorithm aAlgorithm)
 		return PSA_ALG_HMAC(PSA_ALG_SHA_256);
 	case OT_CRYPTO_KEY_ALG_ECDSA:
 		return PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256);
+	case OT_CRYPTO_KEY_ALG_HKDF_SHA256:
+		return PSA_ALG_HKDF(PSA_ALG_SHA_256);
 	default:
 		/*
 		 * There is currently no constant like PSA_ALG_NONE, but 0 is used
@@ -91,6 +95,10 @@ static psa_key_usage_t toPsaKeyUsage(int aUsage)
 		usage |= PSA_KEY_USAGE_VERIFY_HASH;
 	}
 
+	if (aUsage & OT_CRYPTO_KEY_USAGE_DERIVE) {
+		usage |= PSA_KEY_USAGE_DERIVE;
+	}
+
 	return usage;
 }
 
@@ -99,7 +107,7 @@ static bool checkKeyUsage(int aUsage)
 	/* Check if only supported flags have been passed */
 	int supported_flags = OT_CRYPTO_KEY_USAGE_EXPORT | OT_CRYPTO_KEY_USAGE_ENCRYPT |
 			      OT_CRYPTO_KEY_USAGE_DECRYPT | OT_CRYPTO_KEY_USAGE_SIGN_HASH |
-			      OT_CRYPTO_KEY_USAGE_VERIFY_HASH;
+			      OT_CRYPTO_KEY_USAGE_VERIFY_HASH | OT_CRYPTO_KEY_USAGE_DERIVE;
 
 	return (aUsage & ~supported_flags) == 0;
 }
@@ -287,6 +295,143 @@ otError otPlatCryptoHmacSha256Finish(otCryptoContext *aContext, uint8_t *aBuf, s
 	return psaToOtError(psa_mac_sign_finish(operation, aBuf, aBufLength, &mac_length));
 }
 
+
+otError otPlatCryptoHkdfInit(otCryptoContext *aContext)
+{
+	psa_key_derivation_operation_t *operation;
+
+	if (!checkContext(aContext, sizeof(psa_key_derivation_operation_t))) {
+		return OT_ERROR_INVALID_ARGS;
+	}
+
+	operation = aContext->mContext;
+
+	memset(operation, 0, sizeof(psa_key_derivation_operation_t));
+
+	return psaToOtError(psa_key_derivation_setup(operation, PSA_ALG_HKDF(PSA_ALG_SHA_256)));
+}
+
+otError otPlatCryptoHkdfExtract(otCryptoContext *aContext,
+				const uint8_t *aSalt,
+				uint16_t aSaltLength,
+				const otCryptoKey *aInputKey)
+{
+	otError error = OT_ERROR_NONE;
+	psa_status_t status = PSA_SUCCESS;
+	psa_key_derivation_operation_t *operation = NULL;
+	otCryptoKeyRef key_ref = PSA_KEY_ID_NULL;
+	psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+	psa_algorithm_t key_alg = PSA_ALG_NONE;
+	size_t key_length = 0;
+	const size_t key_buffer_size = 16;
+	uint8_t key_buffer[key_buffer_size];
+
+	if (!checkContext(aContext, sizeof(psa_key_derivation_operation_t)) ||
+	    (aInputKey == NULL) || (aSalt == NULL) || (aSaltLength == 0)) {
+		return OT_ERROR_INVALID_ARGS;
+	}
+
+	operation = aContext->mContext;
+
+	status = psa_key_derivation_input_bytes(operation, PSA_KEY_DERIVATION_INPUT_SALT, aSalt,
+						aSaltLength);
+	if (status != PSA_SUCCESS) {
+		error = psaToOtError(status);
+		goto exit;
+	}
+
+	status = psa_get_key_attributes(aInputKey->mKeyRef, &attributes);
+	if (status != PSA_SUCCESS) {
+		error = psaToOtError(status);
+		goto exit;
+	}
+
+	key_alg = psa_get_key_algorithm(&attributes);
+
+	/* The PSA API enforces a policy that restricts each key to a single algorithm.
+	 * If the key is already HKDF-SHA256, we can use it directly.
+	 * Otherwise, export and re-import it as a volatile HKDF key.
+	 */
+	if (key_alg != toPsaAlgorithm(OT_CRYPTO_KEY_ALG_HKDF_SHA256)) {
+		error = otPlatCryptoExportKey(aInputKey->mKeyRef, key_buffer, sizeof(key_buffer),
+					      &key_length);
+		if (error != OT_ERROR_NONE) {
+			goto exit;
+		}
+		error = otPlatCryptoImportKey(&key_ref, OT_CRYPTO_KEY_TYPE_DERIVE,
+					      OT_CRYPTO_KEY_ALG_HKDF_SHA256,
+					      OT_CRYPTO_KEY_USAGE_DERIVE,
+					      OT_CRYPTO_KEY_STORAGE_VOLATILE,
+					      key_buffer, key_length);
+		if (error != OT_ERROR_NONE) {
+			goto exit;
+		}
+
+		status = psa_key_derivation_input_key(operation, PSA_KEY_DERIVATION_INPUT_SECRET,
+						      key_ref);
+		if (status != PSA_SUCCESS) {
+			error = psaToOtError(status);
+			goto exit;
+		}
+	} else {
+		status = psa_key_derivation_input_key(operation, PSA_KEY_DERIVATION_INPUT_SECRET,
+						      aInputKey->mKeyRef);
+		if (status != PSA_SUCCESS) {
+			error = psaToOtError(status);
+			goto exit;
+		}
+	}
+
+exit:
+	psa_reset_key_attributes(&attributes);
+	otPlatCryptoDestroyKey(key_ref);
+
+	return error;
+}
+
+otError otPlatCryptoHkdfExpand(otCryptoContext *aContext,
+				const uint8_t *aInfo,
+				uint16_t aInfoLength,
+				uint8_t *aOutputKey,
+				uint16_t aOutputKeyLength)
+{
+	psa_status_t status = PSA_SUCCESS;
+	psa_key_derivation_operation_t *operation;
+
+	if (!checkContext(aContext, sizeof(psa_key_derivation_operation_t)) ||
+	    (aOutputKey == NULL) || (aOutputKeyLength == 0)) {
+		return OT_ERROR_INVALID_ARGS;
+	}
+
+	operation = aContext->mContext;
+
+	status = psa_key_derivation_input_bytes(operation, PSA_KEY_DERIVATION_INPUT_INFO,
+						aInfo, aInfoLength);
+	if (status != PSA_SUCCESS) {
+		return psaToOtError(status);
+	}
+
+	status = psa_key_derivation_output_bytes(operation, aOutputKey, aOutputKeyLength);
+	if (status != PSA_SUCCESS) {
+		return psaToOtError(status);
+	}
+
+	return OT_ERROR_NONE;
+}
+
+otError otPlatCryptoHkdfDeinit(otCryptoContext *aContext)
+{
+	psa_key_derivation_operation_t *operation;
+
+	if (!checkContext(aContext, sizeof(psa_key_derivation_operation_t))) {
+		return OT_ERROR_INVALID_ARGS;
+	}
+
+	operation = aContext->mContext;
+
+	return psaToOtError(psa_key_derivation_abort(operation));
+}
+
 otError otPlatCryptoAesInit(otCryptoContext *aContext)
 {
 	psa_key_id_t *key_ref;
diff --git a/samples/net/openthread/coap/prj.conf b/samples/net/openthread/coap/prj.conf
index 959fb3c62680d..4d96512b6fb0d 100644
--- a/samples/net/openthread/coap/prj.conf
+++ b/samples/net/openthread/coap/prj.conf
@@ -26,3 +26,6 @@ CONFIG_OPENTHREAD_XPANID="11:11:11:11:22:22:22:22"
 CONFIG_OPENTHREAD_NETWORKKEY="00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff"
 CONFIG_OPENTHREAD_CHANNEL=15
 CONFIG_OPENTHREAD_NETWORK_NAME="OpenThreadDemo"
+
+# Use NVS as settings backend
+CONFIG_NVS=y
diff --git a/samples/net/openthread/coap/sample.yaml b/samples/net/openthread/coap/sample.yaml
index 7727aa287fda6..b143452ea95aa 100644
--- a/samples/net/openthread/coap/sample.yaml
+++ b/samples/net/openthread/coap/sample.yaml
@@ -5,17 +5,15 @@ common:
     - openthread
   depends_on: openthread
   min_flash: 140
+  build_only: true
+  platform_allow:
+    - cc1352p7_lp
+    - nrf52840dk/nrf52840
 sample:
   description: Runs the OpenThread stack as FTD with CoAP
   name: OpenThread FTD CoAP
 tests:
-  sample.net.openthread.ftd.coap.client:
-    build_only: true
-    platform_allow:
-      - cc1352p7_lp
+  sample.net.openthread.ftd.coap.client: {}
   sample.net.openthread.ftd.coap.server:
-    build_only: true
-    platform_allow:
-      - cc1352p7_lp
     extra_configs:
       - CONFIG_OT_COAP_SAMPLE_SERVER=y
diff --git a/subsys/secure_storage/Kconfig.its_store b/subsys/secure_storage/Kconfig.its_store
index c924def563fa1..ba4c5c5c0e48a 100644
--- a/subsys/secure_storage/Kconfig.its_store
+++ b/subsys/secure_storage/Kconfig.its_store
@@ -31,7 +31,7 @@ config SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS
 	     && $(dt_node_has_compat,$(dt_node_parent,$(DT_SETTINGS_PARTITIION)),fixed-partitions))\
 	  || ($(dt_path_enabled,$(DT_STORAGE_PARTITION)) \
 	      && $(dt_node_has_compat,$(dt_node_parent,$(DT_STORAGE_PARTITION)),fixed-partitions)))
-	depends on SETTINGS
+	depends on SETTINGS && !SETTINGS_NONE
 
 config SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE
 	bool "No ITS store module implementation"
diff --git a/west.yml b/west.yml
index 6ea7cb3ba06ef..6be1bd8e8dce1 100644
--- a/west.yml
+++ b/west.yml
@@ -348,7 +348,7 @@ manifest:
       revision: c30a6d8b92fcebdb797fc1a7698e8729e250f637
       path: modules/lib/open-amp
     - name: openthread
-      revision: 2bc7712f57af22058770d1ef131ad3da79a0c764
+      revision: pull/210/head
       path: modules/lib/openthread
     - name: percepio
       path: modules/debug/percepio