diff --git a/README.md b/README.md
index a1cf50922a354c3ce06e6d9302c4fc50f1f2ec11..cef716cec9c74ea0a12082a123e85210419eac45 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,11 @@ Simply follow the official guide. <https://aka.ms/LinuxPortal>
 
 ### For Arch Linux
 
-[TODO: working in progress. see arch-l2 branch for preview]
+1. Install `intune-portal` packages in this repo. Don't forget to enable the `systemctl --user` service.
+2. Follow the official guide to setup password policy file & disk encryption.
+3. Run `intune-portal` to enroll your machine.
+
+> For disk encryption settings, theoretically, dm-crypt (with or without LUKS) + LVM for root partition should be enough.
 
 ## Move certificates from Level-2 machine to Level-1 machine
 
@@ -52,7 +56,7 @@ You are all set!
 
 ## FAQ and debug
 
-If your edge browser is not allowing you to login, check the following logs: 
+You should be able to log into Edge browser without password. If Edge is not happy, check the following logs: 
 
 1. Any error message in `journalctl --user -u microsoft-identity-broker.service`?
 2. Any error message in `sudo journalctl -u microsoft-identity-device-broker.service`? 
@@ -92,13 +96,44 @@ Sign out and sign in again.
 
 This directory was renamed from `msft-identity-broker` to `microsoft-identity-broker` in latest intune. Either upgrade your identity broker, or rename things manually (might be error-prone).
 
-#### Ubuntu side (officially supported)
-
-- Cannot log into intune-portal, something went wrong (2400)
+- Cannot log into intune-portal: something went wrong (2400)
 
-Uninstall intune-portal and all other microsoft packages. Do `apt update` and install it again.
+Unknown reason. (TODO: RCA) Uninstall intune-portal and all other microsoft packages. Do `apt update` and install it again. It worked for me.
 
-- Cannot log into intune-portal, something went wrong (1001)
+- Cannot log into intune-portal: something went wrong (1001)
 
 Simply try again. It will work.
 
+- Cannot log into intune-portal: Terms of use error. we couldn't sign you in.
+
+On archlinux, if you get this error, please make sure your `/etc/os-release` is ubuntu. This is a sample:
+
+```
+NAME="Ubuntu"
+VERSION="20.04.6 LTS (Focal Fossa)"
+ID=ubuntu
+ID_LIKE=debian
+PRETTY_NAME="Ubuntu 20.04.6 LTS"
+VERSION_ID="20.04"
+HOME_URL="https://www.ubuntu.com/"
+SUPPORT_URL="https://help.ubuntu.com/"
+BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
+PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
+VERSION_CODENAME=focal
+UBUNTU_CODENAME=focal
+```
+
+If getting this problem on ubuntu... I don't know.
+
+- intune-portal crashed after code 1200:
+
+`rm -rf ~/.Microsoft ~/.cache/intune-portal` and try again.
+
+- couldn't enroll your device. There was an expected error trying to enroll the device.
+
+Terminal shows 400 bad request. I fixed this problem by `rm -rf ~/.Microsoft ~/.cache/intune-portal`, reinstall intune-portal, and enroll again.
+
+## TODO
+
+Test on Manjaro Linux.
+
diff --git a/intune-portal/PKGBUILD b/intune-portal/PKGBUILD
new file mode 100644
index 0000000000000000000000000000000000000000..3b4b9c6d0cd75f486766715a530afea468cb0739
--- /dev/null
+++ b/intune-portal/PKGBUILD
@@ -0,0 +1,32 @@
+# Maintainer: Recolic K <root@recolic.net>
+
+pkgname=intune-portal
+pkgver=1.2312.35
+pkgrel=0
+pkgdesc="Microsoft Intune helps organizations manage access to corporate apps, data, and resources."
+url="https://packages.microsoft.com/ubuntu/20.04/prod/pool/main/i/intune-portal"
+license=("GPL2")
+arch=("x86_64")
+# Official Depends: libsoup2.4-1 (>= 2.4.0), libgtk-3-0 (>= 3.21.4), msalsdk-dbusclient (>= 1.0), libssl1.1 (>= 1.1.0), libcurl4 (>= 7.16.2), libc6 (>= 2.29), libsystemd0, libdbus-1-3 (>= 1.9.14), zlib1g (>= 1:1.2.0), libatk1.0-0 (>= 1.12.4), libuuid1 (>= 2.16), libglib2.0-0 (>= 2.35.8), libpam-pwquality (>= 1.4.0-2), gnome-keyring (>= 3.36), libgtk-3-0 (>= 3.9.10), libx11-6, libjavascriptcoregtk-4.0-18, libpango-1.0-0 (>= 1.14.0), libc6 (>= 2.28), libwebkit2gtk-4.0-37 (>= 2.5.3), libsecret-1-0 (>= 0.7), libglib2.0-0 (>= 2.12.0), libpam0g (>= 0.99.7.1), libstdc++6 (>= 9), libsqlite3-0 (>= 3.7.14)
+depends=("msalsdk-dbusclient" "gnome-keyring" "libsecret" "openssl-1.1" "webkit2gtk" "libjxl>0.9.0")
+makedepends=()
+conflicts=()
+replaces=()
+backup=()
+source=("source.deb::$url/${pkgname}_${pkgver}-focal_amd64.deb")
+validpgpkeys=("")
+sha256sums=("501005d25714a1a3e26d7a2b4a2eac677ace8edd0b5869cd152308fd69bc4a61")
+install=x.install
+
+package() {
+  cd "$srcdir"
+  ar x source.deb
+  tar xvJf data.tar.xz
+
+  mkdir -p usr/bin
+  [ ! -f usr/bin/intune-portal ] && ln -s ../../opt/microsoft/intune/bin/intune-portal usr/bin/intune-portal
+  cp -r "$srcdir/usr" "$srcdir/opt" "$pkgdir/"
+  cp -r "$srcdir/lib" "$pkgdir/usr/"
+}
+
+# term of use error. we cannot sign you in.
diff --git a/intune-portal/x.install b/intune-portal/x.install
new file mode 100644
index 0000000000000000000000000000000000000000..c2a0c352ac9ee4846b615116f95159b4c3d4baf2
--- /dev/null
+++ b/intune-portal/x.install
@@ -0,0 +1,31 @@
+post_upgrade() {
+    # Restart polkit to get any new authorization actions we put down
+    systemctl restart polkit.service 2>/dev/null
+}
+
+post_install() {
+    if [ -d /run/systemd/system ] ; then
+        systemd-tmpfiles --create intune.conf
+    fi
+
+    systemctl --system daemon-reload
+    systemctl enable intune-daemon.socket --now
+
+    post_upgrade
+
+    echo "Please run: systemctl enable --now --user intune-agent.timer" 1>&2
+}
+
+pre_remove()
+{
+    systemctl disable intune-daemon.socket --now
+}
+
+pre_upgrade() {
+    pre_remove
+}
+
+post_remove() {
+    systemctl --system daemon-reload
+}
+