diff --git a/src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/TransactionFlow/WSHttpTransactionFlowTests.cs b/src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/TransactionFlow/WSHttpTransactionFlowTests.cs
index 7a27a00c760..54bc67777bd 100644
--- a/src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/TransactionFlow/WSHttpTransactionFlowTests.cs
+++ b/src/System.Private.ServiceModel/tests/Scenarios/Binding/WS/TransactionFlow/WSHttpTransactionFlowTests.cs
@@ -452,7 +452,7 @@ public static void WSHttpBinding_TransactionFlow_Mandatory_RoundTrips()
     [WcfFact]
     [Condition(nameof(Windows_Authentication_Available), nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
-    public static void WSHttpBinding_TransactionFlow_Mandatory_WithoutScope_Throws()
+    public static void WSHttpBinding_TransactionFlow_Mandatory_RoundTrips_And_WithoutScope_Throws()
     {
         ChannelFactory<IWcfTransactionMandatoryService> factory = null;
         IWcfTransactionMandatoryService serviceProxy = null;
@@ -465,14 +465,28 @@ public static void WSHttpBinding_TransactionFlow_Mandatory_WithoutScope_Throws()
             factory = new ChannelFactory<IWcfTransactionMandatoryService>(binding, new EndpointAddress(Endpoints.WSHttpTransactionFlowMandatoryAddress));
             serviceProxy = factory.CreateChannel();
 
-            // *** EXECUTE & VALIDATE *** \\
-            // Calling a Mandatory operation without an ambient transaction should throw.
-            // The client-side TransactionChannel enforces Mandatory by requiring a flowed transaction.
+            // *** EXECUTE & VALIDATE — negative case (client-side enforcement) *** \\
+            // Calling a Mandatory operation without an ambient transaction must throw
+            // before any wire activity. The client-side TransactionChannel enforces
+            // [TransactionFlow(Mandatory)] by requiring a flowed transaction.
             Assert.ThrowsAny<ProtocolException>(() =>
             {
                 serviceProxy.IsTransactionFlowed();
             });
 
+            // *** EXECUTE & VALIDATE — positive case (true end-to-end) *** \\
+            // With an ambient transaction, the call must succeed AND the server must
+            // see the flowed transaction. This portion requires real server support
+            // for TransactionFlow and exercises the Mandatory contract attribute on
+            // the wire.
+            bool flowed;
+            using (var scope = new TransactionScope(TransactionScopeOption.Required, TransactionScopeAsyncFlowOption.Enabled))
+            {
+                flowed = serviceProxy.IsTransactionFlowed();
+                scope.Complete();
+            }
+            Assert.True(flowed, "Expected the transaction to flow to the Mandatory service operation, but IsTransactionFlowed returned false.");
+
             // *** CLEANUP *** \\
             factory.Close();
             ((ICommunicationObject)serviceProxy).Close();
diff --git a/src/System.Private.ServiceModel/tests/Scenarios/Client/ClientBase/ClientBaseTests.4.1.0.cs b/src/System.Private.ServiceModel/tests/Scenarios/Client/ClientBase/ClientBaseTests.4.1.0.cs
index e03e55d9527..92b6bb02527 100644
--- a/src/System.Private.ServiceModel/tests/Scenarios/Client/ClientBase/ClientBaseTests.4.1.0.cs
+++ b/src/System.Private.ServiceModel/tests/Scenarios/Client/ClientBase/ClientBaseTests.4.1.0.cs
@@ -55,6 +55,11 @@ public static void DefaultSettings_Echo_Cookie()
     }
 
     [WcfFact]
+    // Flaky under CoreWCF on certain Linux distros (Fedora.41, Debian.12):
+    // the second POST over a keep-alive connection sometimes triggers a
+    // Kestrel pipe-writer race on the server side
+    //   (System.InvalidOperationException: Writing is not allowed after writer
+    //    was completed -> Connection reset by peer at the client).
     [Condition(nameof(Skip_CoreWCFService_FailedTest))]
     [OuterLoop]
     public static void DefaultSettings_SetCookieOnServerSide()
diff --git a/src/System.Private.ServiceModel/tests/Scenarios/Extensibility/WebSockets/WebSocketTests.4.1.0.cs b/src/System.Private.ServiceModel/tests/Scenarios/Extensibility/WebSockets/WebSocketTests.4.1.0.cs
index 6ec253ff7bb..20756d8a2e2 100644
--- a/src/System.Private.ServiceModel/tests/Scenarios/Extensibility/WebSockets/WebSocketTests.4.1.0.cs
+++ b/src/System.Private.ServiceModel/tests/Scenarios/Extensibility/WebSockets/WebSocketTests.4.1.0.cs
@@ -356,8 +356,7 @@ public static void WebSocket_Https_Duplex_Streamed(NetHttpMessageEncoding messag
     [InlineData(NetHttpMessageEncoding.Binary)]
     [InlineData(NetHttpMessageEncoding.Text)]
     [InlineData(NetHttpMessageEncoding.Mtom)]
-    [Condition(nameof(Root_Certificate_Installed),
-        nameof(Skip_CoreWCFService_FailedTest))]
+    [Condition(nameof(Root_Certificate_Installed))]
     [Issue(3572, OS = OSID.OSX)]
     [Issue(1438, OS = OSID.Windows_7)]  // not supported on Win7
     [OuterLoop]
diff --git a/src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Tcp/ClientCredentialTypeCertificateCanonicalNameTests.4.1.0.cs b/src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Tcp/ClientCredentialTypeCertificateCanonicalNameTests.4.1.0.cs
index 4c128c4bc3b..9bed4e24004 100644
--- a/src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Tcp/ClientCredentialTypeCertificateCanonicalNameTests.4.1.0.cs
+++ b/src/System.Private.ServiceModel/tests/Scenarios/Security/TransportSecurity/Tcp/ClientCredentialTypeCertificateCanonicalNameTests.4.1.0.cs
@@ -98,7 +98,11 @@ public static void Certificate_With_CanonicalName_Localhost_Address_EchoString()
 
     [WcfFact]
     [Issue(3572, OS = OSID.OSX)]
-    [Condition(nameof(Root_Certificate_Installed), nameof(Skip_CoreWCFService_FailedTest))]
+    // Test-infra limitation: certificate generator on Linux derives the cert CN
+    // from Dns.GetHostEntry("127.0.0.1").HostName which returns "localhost",
+    // so the "domain name" cert ends up indistinguishable from the localhost
+    // cert and the negative-case assertion cannot be made. Gate on Windows.
+    [Condition(nameof(Root_Certificate_Installed), nameof(Is_Windows))]
     [OuterLoop]
     public static void Certificate_With_CanonicalName_DomainName_Address_EchoString()
     {
@@ -175,7 +179,11 @@ public static void Certificate_With_CanonicalName_DomainName_Address_EchoString(
 
     [WcfFact]
     [Issue(3572, OS = OSID.OSX)]
-    [Condition(nameof(Root_Certificate_Installed), nameof(Skip_CoreWCFService_FailedTest))]
+    // Test-infra limitation: certificate generator on Linux derives the cert CN
+    // from Dns.GetHostEntry("127.0.0.1").HostName which returns "localhost",
+    // so the "fqdn" cert ends up indistinguishable from the localhost cert and
+    // the negative-case assertion cannot be made. Gate on Windows.
+    [Condition(nameof(Root_Certificate_Installed), nameof(Is_Windows))]
     [OuterLoop]
     public static void Certificate_With_CanonicalName_Fqdn_Address_EchoString()
     {