Hi
Changing the key will impact the dmvpn cloud when routers do the rekey.
If you change first the hub, all spokes will loose connectivity until you finished rolling out your changes. If you do the invert, spokes will be unreachable until hub has its key changed.
If your routers are behind an isp router handling the nat and key isn't changed yet on your spoke, it can be stuck for a while until the nat times out.
First thing is to enable ssh from the outside to avoid losing spokes to push the new key to.
Then, you can do a script to change them all in a quick and smoother way.
Personally i always mount 2 dmvpn clouds. 1 using key with limited access and 1 using certificates. This allows you to change the key as often as possible because user connectivity is always handled by the certificate cloud. Certificates are additionally renewed using your key dmvpn cloud. In that situation, you always have a backup plan for your users and yourself to access devices.
Does it make sense?
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question